Date: Fri, 4 Nov 2016 12:48:55 +0100 From: Robert Scheck <robert@...oraproject.org> To: Daniel Stenberg <daniel@...x.se> Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host On Fri, 04 Nov 2016, Daniel Stenberg wrote: > DENIC alledgedly has rules that should prevent separate registrations like > in the straße.de case. Still it seems that this particular host name is > registered by two different entities unless there's some background juggling > that we can't easily see from the outside. It is possible (and also allowed by the DENIC), that e.g. "straße.de" and "strasse.de" have two different domain owners. I performed at least one registration for a customer for a "ß"-domain after the "ß" sunrise period was over, where the "ß"-domain owner is not the owner of the corresponding "ss"-domain. Not sure which rules you refer to, but except the "ß"-sunrise period in 2010, I'm able to register "ß"-domains on first come, first serve basis at DENIC. The DENIC FAQ (https://www.denic.de/en/faqs/faqs-about-idns-ss/) mentions also that e.g. "mueller.de" and "müller.de" are two completely different domain names (even "ue" is the German transcription of "ü") - and here the argumentation is, that "bauer.de" is not the same like "baür.de" (which is from the non-technical perspective of a German native speaker obviously true). From my understanding, the argumentation here is non-IDNA mueller.de vs. IDNA2003 müller.de, while now it is IDNA2003 strasse.de vs. IDNA2008 straße.de - which might be slightly different, because it's a switch of the IDNA version rather the introduction. For those who didn't notice, Florian also started a German thread on the public DENIC mailing list (https://www.denic.de/en/service/mailing-lists/) about exactly this topic (I'm not sure if there is a public archive). Greetings, Robert Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ