oss-sec mailing list archives
Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host
From: Hanno Böck <hanno () hboeck de>
Date: Wed, 2 Nov 2016 13:52:41 +0100
On Wed, 2 Nov 2016 12:53:04 +0100 Robert Scheck <robert () fedoraproject org> wrote:
On the other hand, I am wondering if this should be really classified as a security related issue.
Ambiguitiy in character encodings can often be a source of security issues. Just think of the following: * A Certificate Authority is using different pieces of software that mix different IDNA encodings. * I request a certificate for strasse.de, but the verification mail goes to xn--strae-oqa.de. * I am the owner of xn--strae-oqa.de and now have a valid certificate for strasse.de. IMHO the whole idea of suddenly changing how international domain names are encoded is a very problematic security violation. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Stuart Henderson (Nov 02)
- Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host cve-assign (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 04)
- Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Kristian Fiskerstrand (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Stuart Henderson (Nov 02)