This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: What to do about libidn?


On 11/08/2016 04:27 PM, Zack Weinberg wrote:

I just saw something go by about security problems with blindly
applying IDNA-2008 without additional input validation, too. Can't
find it right now.  cc:ing the libidn(2) maintainer.

The upgrade to IDNA-2008 changes name resolution for some domains because registries did not handle the transition in a seamless manner. It also enables new homograph attacks (but I tend to discount those as irrelevant).

Disabling IDNA does not have this problem anymore because I don't think there is a registry which allows registration of non-ASCII name (e.g., labels of the form \195\164\195\182\195\188 instead of xn--4ca0bs).

What should we do to improve this situation?  I would really like to remove
AI_IDN, but this is likely not an option.

I also rather like the idea of dropping AI_IDN.  As a data point,
https://searchcode.com/?q=AI_IDN shows only 39 hits out of "20 billion
lines of code from 7,000,000 projects" - and at least half of those
appear to be implementations and library wrappers.

There is traceroute …

If we the consensus is that we want to get rid of AI_IDN, I'll happily prepare a patch (and use it in Fedora).

Thanks,
Florian


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]