[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Overly permissive hostname matching
From: |
Tim Ruehsen |
Subject: |
Re: [Bug-wget] Overly permissive hostname matching |
Date: |
Wed, 19 Mar 2014 11:19:54 +0100 |
User-agent: |
KMail/4.11.5 (Linux/3.13-1-amd64; KDE/4.11.5; x86_64; ; ) |
On Tuesday 18 March 2014 20:05:07 Daniel Kahn Gillmor wrote:
> On 03/18/2014 05:31 PM, Tim Rühsen wrote:
> > IHMO, the Public Suffix List (PSL) should not only be used to verify
> > cookies but also be used for certificate hostname checking.
> >
> > Libraries as GnuTLS should offer an API for this kind of checking, best
> > would be having the PSL as a separate file, maintained by the
> > distribution maintainers (or the user, if he wants to to it). The SSL
> > library should load/unload the PSL under the applications control.
>
> that sounds really fiddly to me -- you want the application to know why
> the TLS stack needs to know about the public suffix list, and to be able
> to control it appropriately?
>
> I think we need good sensible defaults, and a locally-cached,
> frequently-updated copy of the public suffix list; then if we really
> really want the application to be able to control the use of an
> alternate suffix list we can provide an API for that, but i can't
> imagine we'd want to require the application to specify anything (even
> asking the application to load the default local PSL seems like too much
> to expect from most apps that just want "to layer in some TLS").
As a programmer, I want to have control. E.g. the option to load from a
different file, or to switch off loading. Why ? e.g. for testing purposes, or
simply imagine a "swiss army knife" client for experts - maybe they want to
have control via CLI args. Or you are in a controlled environment and simply
don't want to waste CPU cycles when downloading a single file from a trusted
server. Just some examples.
And than, clients like Wget would like to have access, at least for checking
cookies.
> > Maybe it would be a good idea to provide a separate PSL library that could
> > be used by SSL libraries for hostname checking and HTTP(S) clients for
> > cookie verification.
>
> I maintain publicsuffix in debian, and i try to help on the gnutls side
> of things too (both upstream and a little bit of kibbitzing about the
> debian packaging).
>
> debian has php, python, perl, and haskell bindings for the public suffix
> list, but i don't think anyone has packaged a C library for it.
>
> I've got discussion in my mailbox that i haven't processed in ages with
> Florian Sager about packaging regdom-libs [0], though, and the library
> looks like it's been revived a bit since i gave up on it last [1]. Do
> you think this C interface would be a useful one or would you expect a
> different API?
I just took a quick look but I am not sure about the API (i did not have this
'aha' effect). But what I don't like is the dependency on PHP which is used to
'compile' the PSL before the C functions can use it. While the idea of
compilation/preprocessing is a good one, it should at least be optional.
> [0] http://www.dkim-reputation.org/regdom-libs/
> [1] https://bugs.debian.org/683881
>
> > If of any interest, there is already some LGPLed code at
> >
> > https://github.com/rockdaboot/mget/blob/master/libmget/cookie.c
> >
> > There are also some unit test routines in the project.
>
> hm, do you know if the libmget folks are willing to break that code out
> separately? linking to all of libmget doesn't sound like a good idea,
> and it would be a shame to have to maintain separate copies of this
> codebase.
"the folks" it's me ;-)
I already thought of splitting libmget into several smaller libraries, like
libmget-common, libmget-cookies, libmget-psl ... whatever is needed.
What exactly do you think of ? What can I do to make Debian packaging easy ?
Tim
Re: [Bug-wget] Overly permissive hostname matching, Tim Rühsen, 2014/03/18
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/18
- Re: [Bug-wget] Overly permissive hostname matching, Daniel Kahn Gillmor, 2014/03/18
- Re: [Bug-wget] Overly permissive hostname matching,
Tim Ruehsen <=
- Re: [Bug-wget] Overly permissive hostname matching, Daniel Kahn Gillmor, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Daniel Stenberg, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Ángel González, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19
Re: [Bug-wget] Overly permissive hostname matching, Daniel Kahn Gillmor, 2014/03/19
Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19