Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

[Daniel Stenberg <daniel () haxx se>]

On Wed, 2 Nov 2016, Robert Scheck wrote:

> > curl is not alone with this problem, as there's currently a big flux in the
> > world of network user-agents about which IDNA version to support and use.
>
> From my point of view, this especially affects GNU libc for example.
>
> On the other hand, I am wondering if this should be really classified as a 
> security related issue.

Can this be used to trick users or give malicious actors an advantage? I think 
yes. I think it has a security impact. To what extent can be debated, but then 
I don't grade our security vulnerabilites.

> I guess many upstreams should be explicitly made aware of that soon. Maybe 
> MITRE (or somebody else) could share their thoughts about this, too?

I would say so. Since IDNA2003 and IDNA2008 make clients end up on different 
target machines, there's no doubt in my mind that this *can* be abused. I'm 
confident that many other tools and libraries in addition to curl have the 
same problem.

> I reported the "ß" issue and the lack of IDNA 2008 support in cURL on Sun, 
> 18 May 2014 17:17:03 +0200 directly to you, but I didn't classify it as a 
> security related issue though... ;-)

Then I appologize for having dropped the ball and not having seen the problem 
correctly back then. I don't remember that occasion, but I believe you.

NOTE: the IDNA 2008 fix seems to be incomplete [1] so right now it is probably 
better to just disable IDN support in curl, at least if libidn2 powered.

[1] = https://curl.haxx.se/mail/lib-2016-11/0033.html

--

 / daniel.haxx.se