This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On 11/08/2016 04:27 PM, Zack Weinberg wrote:
I just saw something go by about security problems with blindly applying IDNA-2008 without additional input validation, too. Can't find it right now. cc:ing the libidn(2) maintainer.
The upgrade to IDNA-2008 changes name resolution for some domains because registries did not handle the transition in a seamless manner. It also enables new homograph attacks (but I tend to discount those as irrelevant).
Disabling IDNA does not have this problem anymore because I don't think there is a registry which allows registration of non-ASCII name (e.g., labels of the form \195\164\195\182\195\188 instead of xn--4ca0bs).
What should we do to improve this situation? I would really like to remove AI_IDN, but this is likely not an option.I also rather like the idea of dropping AI_IDN. As a data point, https://searchcode.com/?q=AI_IDN shows only 39 hits out of "20 billion lines of code from 7,000,000 projects" - and at least half of those appear to be implementations and library wrappers.
There is traceroute …If we the consensus is that we want to get rid of AI_IDN, I'll happily prepare a patch (and use it in Fedora).
Thanks, Florian
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |