From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-return-74520-listarch-libc-alpha=sources.redhat.com@sourceware.org>
Received: (qmail 36652 invoked by alias); 8 Nov 2016 15:59:29 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Received: (qmail 36638 invoked by uid 89); 8 Nov 2016 15:59:29 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=zack, Zack, tend, discount
X-HELO: mx1.redhat.com
Subject: Re: What to do about libidn?
To: Zack Weinberg <zackw@panix.com>, Simon Josefsson <simon@josefsson.org>
References: <44cead16-9db0-a4c0-82cd-1f6178260ed7@redhat.com>
 <CAKCAbMh0vAYKetC9xArQyaq-mEbDQ3a3roHdYf3QE0X+ffLxmw@mail.gmail.com>
Cc: GNU C Library <libc-alpha@sourceware.org>
From: Florian Weimer <fweimer@redhat.com>
Message-ID: <d030d999-cc0b-3ca5-9774-95e03007c2fa@redhat.com>
Date: Tue, 08 Nov 2016 15:59:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <CAKCAbMh0vAYKetC9xArQyaq-mEbDQ3a3roHdYf3QE0X+ffLxmw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-SW-Source: 2016-11/txt/msg00273.txt.bz2

On 11/08/2016 04:27 PM, Zack Weinberg wrote:

> I just saw something go by about security problems with blindly
> applying IDNA-2008 without additional input validation, too. Can't
> find it right now.  cc:ing the libidn(2) maintainer.

The upgrade to IDNA-2008 changes name resolution for some domains 
because registries did not handle the transition in a seamless manner. 
It also enables new homograph attacks (but I tend to discount those as 
irrelevant).

Disabling IDNA does not have this problem anymore because I don't think 
there is a registry which allows registration of non-ASCII name (e.g., 
labels of the form \195\164\195\182\195\188 instead of xn--4ca0bs).

>> What should we do to improve this situation?  I would really like to remove
>> AI_IDN, but this is likely not an option.
>
> I also rather like the idea of dropping AI_IDN.  As a data point,
> https://searchcode.com/?q=AI_IDN shows only 39 hits out of "20 billion
> lines of code from 7,000,000 projects" - and at least half of those
> appear to be implementations and library wrappers.

There is traceroute …

If we the consensus is that we want to get rid of AI_IDN, I'll happily 
prepare a patch (and use it in Fedora).

Thanks,
Florian