Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

[Robert Scheck <robert () fedoraproject org>]

On Wed, 02 Nov 2016, Daniel Stenberg wrote:
> For example, `straße.de` is translated into `strasse.de` using IDNA 2003 but
> is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those
> host names could very well resolve to different addresses and be two
> completely independent servers. IDNA 2008 is mandatory for .de domains.
>
> curl is not alone with this problem, as there's currently a big flux in the
> world of network user-agents about which IDNA version to support and use.

From my point of view, this especially affects GNU libc for example.

On the other hand, I am wondering if this should be really classified as a
security related issue. Being interested in IDNA 2008 support myself, I did
some IDNA 2008 patches in the past, but practically IDNA 2008 support is
still not that widespread as I would wish. Does using an older standard (as
in IDNA 2003) really classify this issue as a security related one? If so,
I guess many upstreams should be explicitly made aware of that soon. Maybe
MITRE (or somebody else) could share their thoughts about this, too?

> It was first reported to the curl project on October 11 by Christian Heimes.

I reported the "ß" issue and the lack of IDNA 2008 support in cURL on Sun,
18 May 2014 17:17:03 +0200 directly to you, but I didn't classify it as a
security related issue though... ;-)


Greetings,
  Robert

Attachment: _bin
Description: