This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: What to do about libidn?
On 8.11.2016 16:59, Florian Weimer wrote:
> On 11/08/2016 04:27 PM, Zack Weinberg wrote:
>
>> I just saw something go by about security problems with blindly
>> applying IDNA-2008 without additional input validation, too. Can't
>> find it right now. cc:ing the libidn(2) maintainer.
>
> The upgrade to IDNA-2008 changes name resolution for some domains because
> registries did not handle the transition in a seamless manner. It also enables
> new homograph attacks (but I tend to discount those as irrelevant).
>
> Disabling IDNA does not have this problem anymore because I don't think there
> is a registry which allows registration of non-ASCII name (e.g., labels of the
> form \195\164\195\182\195\188 instead of xn--4ca0bs).
>
>>> What should we do to improve this situation? I would really like to remove
>>> AI_IDN, but this is likely not an option.
>>
>> I also rather like the idea of dropping AI_IDN. As a data point,
>> https://searchcode.com/?q=AI_IDN shows only 39 hits out of "20 billion
>> lines of code from 7,000,000 projects" - and at least half of those
>> appear to be implementations and library wrappers.
>
> There is traceroute …
>
> If we the consensus is that we want to get rid of AI_IDN, I'll happily prepare
> a patch (and use it in Fedora).
Personally I would agree to removing AI_IDN. The more we remove the better: It
will be incentive for applications to use something more modern than DNS
resolution layer from libc, which is really ancient and lacks modern
functionality (DNSSEC validation and error reporting, for instance).
--
Petr Spacek @ Red Hat