This is the mail archive of the
mailing list for the glibc project.
Re: What to do about libidn?
On 11/08/2016 04:27 PM, Zack Weinberg wrote:
I just saw something go by about security problems with blindly
applying IDNA-2008 without additional input validation, too. Can't
find it right now. cc:ing the libidn(2) maintainer.
The upgrade to IDNA-2008 changes name resolution for some domains
because registries did not handle the transition in a seamless manner.
It also enables new homograph attacks (but I tend to discount those as
Disabling IDNA does not have this problem anymore because I don't think
there is a registry which allows registration of non-ASCII name (e.g.,
labels of the form \195\164\195\182\195\188 instead of xn--4ca0bs).
What should we do to improve this situation? I would really like to remove
AI_IDN, but this is likely not an option.
I also rather like the idea of dropping AI_IDN. As a data point,
https://searchcode.com/?q=AI_IDN shows only 39 hits out of "20 billion
lines of code from 7,000,000 projects" - and at least half of those
appear to be implementations and library wrappers.
There is traceroute …
If we the consensus is that we want to get rid of AI_IDN, I'll happily
prepare a patch (and use it in Fedora).