|
|
|
|
|
|
by tialaramex
2491 days ago
|
|
|
Hostname verification got much better. It's default-on in a lot of common software these days where it might have been optional or even entirely broken back in 2012. People do struggle with IDNs. The key trick here is to understand that SANs are mandatory in the Web PKI and by definition they are in DNS's own internal A-label format ("punycode") because the character set used for SANs deliberately isn't Unicode capable. You will need to know the A-labels in order to successfully resolve the hostname to get an IP address, so you can re-use those A-labels to match the SANs, and doing so will make your software work how programmers expect it to. You don't need the U-labels at all, they are only for display purposes. If you find yourself providing a separate "Hostname to verify" API distinct from the interface where you learn the name to connect to that's where you're going to trip yourself up, so don't. But yes hostname checks are still embarrassingly missing in plenty of less obvious places if you go looking, they did not vanish entirely overnight. The obscure Haiku operating system is an example, they offer a "secure socket" abstraction but it doesn't implement hostname validation so in essence it's worthless, yet it is used by their native web browser and other software. |
|
|
I just fixed this in https://git.haiku-os.org/haiku/commit/?id=8d63a9060e66aa69c0....
In the future, please actually report such problems on the bugtracker instead of just randomly shaming us on HN :p