IDN processing-related security considerations for draft-ietf-websec-strict-transport-sec
hmdmhdfmhdjmzdtjmzdtzktdkztdjz at gmail.com
Fri Sep 30 23:27:17 CEST 2011
On 30 September 2011 21:43, =JeffH wrote:
>>> a pointer in the direction of "implementations supporting
>>> IDNA2003 instead of IDNA2008 use the corresponding IDNA2003
>>> 'ToAscii' conversion as specified in RFC 3490" in some
>>> BCP 18 "i18n considerations"?
>> I agree that text such at that is appropriate, but I think that's
>> what Jeff (and Adam) are trying to formulate.
> that is our intent, and essentially what the draft language says,
Sorry, that wasn't my impression, I read "do IDNA2008 or IDNA2003",
not "do IDNA as specified in 5xxx", with the IDNA2003 blurb hidden
in "i18n considerations". I did not know that some folks consider
IDNA2008 as controversial. [User's POV: I don't like to see any
U-labels in scripts I can't read, and as long as I can't configure
which scripts I can read I consider all U-labels as "insecure", but
that doesn't depend on the IDNA version.]
[xn--cocacola and na--whatever]
>>> These are perfectly valid LDH labels in DNS *host* names outside
>>> of IDNA.
>>> What do you plan to do in these cases, throw an exception, maybe?
> If you read closely, the actual idna-canonicalization will be done
> by prior portions of "the pipeline", and presuming they implement
> IDNA2008, then yes, they'd not "process" those above labels because
> they are invalid.
AFAICT they are not invalid outside of IDNA. The RFCs defining host
names / HTTP / URLs are not updated by IDNA. For *all* LDH labels,
if you are *not* interested to find U-labels for A-labels, simply do
not put them into any IDNA processing, because the result will not be
what you want in certain corner cases.
Otherwise, if you want to find U-labels, take only XN-labels as input
for IDNA processing, because anything else cannot be a valid A-label.
> I just jammed xn--cocacola into the Firefox address bar and got an
> interesting result: "ఃఅఅ" which may or may not be a valid
> IDNA2003 U-label (to coin a term).
Apologies, I never really tested it: xn--cocacola used to be a kind
of joke on this list years ago (wrt legal copyright problems, not to
is down at the moment... :-(
Looking at my mail with suggested idnatest subdomains the Gmail UI
as displayed by Chrome shows a difference for two of the test URLs:
http://_underscore.idnatest.ietf.org/ \/ "http://" not shown as
http://-non-ldh.idnatest.ietf.org/ /\ part of the wannabe-link
http://under_score.idnatest.ietf.org/ \/ "http://" shown as
http://non-ldh-.idnatest.ietf.org/ /\ part of the wannabe-link
More information about the Idna-update