From: Florian Weimer <fweimer@redhat.com>
To: Zack Weinberg <zackw@panix.com>, Simon Josefsson <simon@josefsson.org>
Cc: GNU C Library <libc-alpha@sourceware.org>
Subject: Re: What to do about libidn?
Date: Tue, 08 Nov 2016 15:59:00 -0000 [thread overview]
Message-ID: <d030d999-cc0b-3ca5-9774-95e03007c2fa@redhat.com> (raw)
In-Reply-To: <CAKCAbMh0vAYKetC9xArQyaq-mEbDQ3a3roHdYf3QE0X+ffLxmw@mail.gmail.com>
On 11/08/2016 04:27 PM, Zack Weinberg wrote:
> I just saw something go by about security problems with blindly
> applying IDNA-2008 without additional input validation, too. Can't
> find it right now. cc:ing the libidn(2) maintainer.
The upgrade to IDNA-2008 changes name resolution for some domains
because registries did not handle the transition in a seamless manner.
It also enables new homograph attacks (but I tend to discount those as
irrelevant).
Disabling IDNA does not have this problem anymore because I don't think
there is a registry which allows registration of non-ASCII name (e.g.,
labels of the form \195\164\195\182\195\188 instead of xn--4ca0bs).
>> What should we do to improve this situation? I would really like to remove
>> AI_IDN, but this is likely not an option.
>
> I also rather like the idea of dropping AI_IDN. As a data point,
> https://searchcode.com/?q=AI_IDN shows only 39 hits out of "20 billion
> lines of code from 7,000,000 projects" - and at least half of those
> appear to be implementations and library wrappers.
There is traceroute …
If we the consensus is that we want to get rid of AI_IDN, I'll happily
prepare a patch (and use it in Fedora).
Thanks,
Florian
next prev parent reply other threads:[~2016-11-08 15:59 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-08 11:52 Florian Weimer
2016-11-08 15:27 ` Zack Weinberg
2016-11-08 15:59 ` Florian Weimer [this message]
2016-11-09 7:53 ` Petr Spacek
2016-11-08 23:30 ` Joseph Myers
2016-11-09 12:02 ` Florian Weimer
2016-11-09 16:03 ` Joseph Myers
2016-11-11 19:53 ` Carlos O'Donell
2016-11-10 15:32 ` Florian Weimer
2016-11-11 19:49 ` Carlos O'Donell
2016-11-11 21:16 ` Joseph Myers
2016-11-11 19:41 ` Mike Frysinger
2016-11-11 20:00 ` Carlos O'Donell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d030d999-cc0b-3ca5-9774-95e03007c2fa@redhat.com \
--to=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=simon@josefsson.org \
--cc=zackw@panix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).