Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: option to disallow IDN ?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Gustafsson via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 15 Dec 2022 10:03:04 +0100
> On 15 Dec 2022, at 09:06, Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se> wrote:
> After my recent blog post "IDN is crazy" [1], a few people have requested a new option to curl that prevents it from accepting/using IDN. To reduce the risk of getting exploited by one of the many trickeries you can do with it.
The main attack vector as I understand it, is tricking users into copy/pasting
a commandline with an IDN hostname in it causing the user to interact with
fake.com instead of legitimate.com. If the option is a commandline option then
that wouldn't really add much protection as it wouldn't be included in what is
copied.
An environment variable would add more protection, but would also be more
cumbersome and likely less used.
Another question is where to draw the line in the IDN process, if someone types
a punycode URL into the commandline with the IDN option turned off, should that
be allowed? It's all ASCII but it's still an IDN.
I'm not convinced that it would add protection enough to warrant the added
complexity.
Date: Thu, 15 Dec 2022 10:03:04 +0100
> On 15 Dec 2022, at 09:06, Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se> wrote:
> After my recent blog post "IDN is crazy" [1], a few people have requested a new option to curl that prevents it from accepting/using IDN. To reduce the risk of getting exploited by one of the many trickeries you can do with it.
The main attack vector as I understand it, is tricking users into copy/pasting
a commandline with an IDN hostname in it causing the user to interact with
fake.com instead of legitimate.com. If the option is a commandline option then
that wouldn't really add much protection as it wouldn't be included in what is
copied.
An environment variable would add more protection, but would also be more
cumbersome and likely less used.
Another question is where to draw the line in the IDN process, if someone types
a punycode URL into the commandline with the IDN option turned off, should that
be allowed? It's all ASCII but it's still an IDN.
I'm not convinced that it would add protection enough to warrant the added
complexity.
-- Daniel Gustafsson https://vmware.com/ -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-12-15