Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <alpine.DEB.2.20.1611040816000.375@tvnag.unkk.fr>
Date: Fri, 4 Nov 2016 08:27:43 +0100 (CET)
From: Daniel Stenberg <daniel@...x.se>
To: cve-assign@...re.org
cc: robert@...oraproject.org, oss-security@...ts.openwall.com
Subject: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

On Fri, 4 Nov 2016, cve-assign@...re.org wrote:

> In some situations, this would be a site-specific problem at a registry. 
> Although domain names can have a variety of uses of '-' characters, the 
> presence of a '-' as both the third character and the fourth character is 
> often recognized as a special case. Trying to specify xn--strae-oqa.de 
> directly when seeking a registration is very different from trying to 
> specify (for example) x--strae-oqa.de or xn-strae-oqa.de.

DENIC alledgedly has rules that should prevent separate registrations like in 
the straße.de case. Still it seems that this particular host name is 
registered by two different entities unless there's some background juggling 
that we can't easily see from the outside.

Those policies are obviously not flawless and now we end up in a sutiation 
where cients implementing different IDNA standards will end up on different 
servers. I suppose both can also get separate HTTPS certificates by simply 
using the puny encoded versions of their domain names when asking for them.

In addition to the IDNA confusion, I also learned that libidn2 doesn't do the 
necessary checks so just switching to that as we did in the curl patch for the 
advisory we're discussing here, is an insuffucient and inferior fix for this 
problem. We need to a bigger take.

One. Big. Mess.

I've suggested curl users to simply *disable* IDN completely in their builds 
now until we get something better done. To reduce the risk. There's no 
schedule or plan yet for when "something better" might be ready. I'll admit my 
energy level for this crap is very low.

-- 

  / daniel.haxx.se

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.