april
commented
8 years ago Looks like 2084 doesn't even break most clients anymore. DARE I GO LONGER?!
Open april opened 8 years ago
april
commented
8 years ago Looks like 2084 doesn't even break most clients anymore. DARE I GO LONGER?!
lgarron
commented
8 years ago Sure!
RFC 1035? That explains it! https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/ and https://longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com/ both have 63-char subdomains because that's the longest I could make them without breaking in browsers. I didn't look into it further because I was just interested in UI problems, but we can totally add one that goes over.
lgarron
commented
8 years ago That said, these are not specific to HTTPS (although perhaps they interact with HTTPS in strange ways on some clients). Is there another test site that has such cases (either to use instead, or to borrow ideas from)?
april
commented
8 years ago I've not really seen another client test site like badssl.com, except for casual one-offs. It probably doesn't help that none of the suggestions I made above get indexed by search engines. Or at least I couldn't find any.
lgarron
commented
8 years ago badssl.com answers on all subdomains. Is there any client that will manage to connect?
(I just tried modifying my /etc/hosts to point to the IP for that subdomain directly, but I still get curl: (6) Could not resolve host.)
lgarron
commented
8 years ago It probably doesn't help that none of the suggestions I made above get indexed by search engines.
orly? :-P
lgarron
commented
8 years ago Looks like 2084 doesn't even break most clients anymore. DARE I GO LONGER?!
Try > 2MB?
april
commented
8 years ago orly? :-P
april
commented
8 years ago Already in trying to increase the size of the URL, I have pissed off nginx, caused Chrome to lose my URL, and nearly locked up vim. So there's that!
april
commented
8 years ago BTW, the RFC says you can have up to four labels of 63 octets each. As such, if you really want to test UI issues, you should probably have:
lgarron
commented
8 years ago Not bad!
I'm a bit surprised we don't wrap on the dots, though.
april
commented
8 years ago badssl.com answers on all subdomains. Is there any client that will manage to connect? (I just tried modifying my
/etc/hoststo point to the IP for that subdomain directly, but I still getcurl: (6) Could not resolve host.)
The infinite redirection one is great for testing bots and other things that just grab URLs when you post them into IRC.
The DNS one should probably not work, although it may work with local hosts on some OSs. We wouldn't even need to really implement it aside from a link on the home page. :) Mostly it would just be a way to test those error pages.
The URL one behaves differently in every browser and client, but would probably need a page.
april
commented
8 years ago Woohoo! I broke Chrome! Who should I send my mailing address to in order to collect my bug bounty?
lgarron
commented
8 years ago Woohoo! I broke Chrome! Who should I send my email address to in order to collect my bug bounty?
How broken?
hehe, I can intercept the passwords of everyone on the network (linked from VRP page) OR no biggie, but fix plz?
april
commented
8 years ago How broken?
Well, it's a clear buffer overflow of their security warning div tag. It doesn't even fit on the screen!
How do you feel about things that test generic client issues, and not just TLS related things?
For example: https://infinite-redirect.badssl.com/
Or: https://technically-speaking-this-really-long-hostname-is-in-violation-of-rfc1035-but-tbh-i-do-what-i-want.badssl.com/
Or: https://long-url.badssl.com/while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner