Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

[Daniel Stenberg <daniel () haxx se>]

On Fri, 4 Nov 2016, cve-assign () mitre org wrote:

> In some situations, this would be a site-specific problem at a registry. 
> Although domain names can have a variety of uses of '-' characters, the 
> presence of a '-' as both the third character and the fourth character is 
> often recognized as a special case. Trying to specify xn--strae-oqa.de 
> directly when seeking a registration is very different from trying to 
> specify (for example) x--strae-oqa.de or xn-strae-oqa.de.

DENIC alledgedly has rules that should prevent separate registrations like in 
the straße.de case. Still it seems that this particular host name is 
registered by two different entities unless there's some background juggling 
that we can't easily see from the outside.

Those policies are obviously not flawless and now we end up in a sutiation 
where cients implementing different IDNA standards will end up on different 
servers. I suppose both can also get separate HTTPS certificates by simply 
using the puny encoded versions of their domain names when asking for them.

In addition to the IDNA confusion, I also learned that libidn2 doesn't do the 
necessary checks so just switching to that as we did in the curl patch for the 
advisory we're discussing here, is an insuffucient and inferior fix for this 
problem. We need to a bigger take.

One. Big. Mess.

I've suggested curl users to simply *disable* IDN completely in their builds 
now until we get something better done. To reduce the risk. There's no 
schedule or plan yet for when "something better" might be ready. I'll admit my 
energy level for this crap is very low.

--

 / daniel.haxx.se