From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 75664 invoked by alias); 9 Nov 2016 07:53:59 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Received: (qmail 75561 invoked by uid 89); 9 Nov 2016 07:53:58 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:1620, discount, ancient, billion X-HELO: mx1.redhat.com Subject: Re: What to do about libidn? To: libc-alpha@sourceware.org References: <44cead16-9db0-a4c0-82cd-1f6178260ed7@redhat.com> From: Petr Spacek Message-ID: Date: Wed, 09 Nov 2016 07:53:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-SW-Source: 2016-11/txt/msg00316.txt.bz2 On 8.11.2016 16:59, Florian Weimer wrote: > On 11/08/2016 04:27 PM, Zack Weinberg wrote: > >> I just saw something go by about security problems with blindly >> applying IDNA-2008 without additional input validation, too. Can't >> find it right now. cc:ing the libidn(2) maintainer. > > The upgrade to IDNA-2008 changes name resolution for some domains because > registries did not handle the transition in a seamless manner. It also enables > new homograph attacks (but I tend to discount those as irrelevant). > > Disabling IDNA does not have this problem anymore because I don't think there > is a registry which allows registration of non-ASCII name (e.g., labels of the > form \195\164\195\182\195\188 instead of xn--4ca0bs). > >>> What should we do to improve this situation? I would really like to remove >>> AI_IDN, but this is likely not an option. >> >> I also rather like the idea of dropping AI_IDN. As a data point, >> https://searchcode.com/?q=AI_IDN shows only 39 hits out of "20 billion >> lines of code from 7,000,000 projects" - and at least half of those >> appear to be implementations and library wrappers. > > There is traceroute … > > If we the consensus is that we want to get rid of AI_IDN, I'll happily prepare > a patch (and use it in Fedora). Personally I would agree to removing AI_IDN. The more we remove the better: It will be incentive for applications to use something more modern than DNS resolution layer from libc, which is really ancient and lacks modern functionality (DNSSEC validation and error reporting, for instance). -- Petr Spacek @ Red Hat