Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20161102135241.20a8c3c4@pc1>
Date: Wed, 2 Nov 2016 13:52:41 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use
 wrong host

On Wed, 2 Nov 2016 12:53:04 +0100
Robert Scheck <robert@...oraproject.org> wrote:

> On the other hand, I am wondering if this should be really classified
> as a security related issue.

Ambiguitiy in character encodings can often be a source of security
issues.

Just think of the following:
* A Certificate Authority is using different pieces of software that
  mix different IDNA encodings.
* I request a certificate for strasse.de, but the verification mail
  goes to xn--strae-oqa.de.
* I am the owner of xn--strae-oqa.de and now have a valid certificate
  for strasse.de.

IMHO the whole idea of suddenly changing how international domain names
are encoded is a very problematic security violation.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.