Open april opened 8 years ago
Looks like 2084 doesn't even break most clients anymore. DARE I GO LONGER?!
Sure!
RFC 1035? That explains it! https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/ and https://longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com/ both have 63-char subdomains because that's the longest I could make them without breaking in browsers. I didn't look into it further because I was just interested in UI problems, but we can totally add one that goes over.
That said, these are not specific to HTTPS (although perhaps they interact with HTTPS in strange ways on some clients). Is there another test site that has such cases (either to use instead, or to borrow ideas from)?
I've not really seen another client test site like badssl.com, except for casual one-offs. It probably doesn't help that none of the suggestions I made above get indexed by search engines. Or at least I couldn't find any.
badssl.com answers on all subdomains. Is there any client that will manage to connect?
(I just tried modifying my /etc/hosts
to point to the IP for that subdomain directly, but I still get curl: (6) Could not resolve host
.)
It probably doesn't help that none of the suggestions I made above get indexed by search engines.
orly? :-P
Looks like 2084 doesn't even break most clients anymore. DARE I GO LONGER?!
Try > 2MB?
orly? :-P
Already in trying to increase the size of the URL, I have pissed off nginx, caused Chrome to lose my URL, and nearly locked up vim. So there's that!
BTW, the RFC says you can have up to four labels of 63 octets each. As such, if you really want to test UI issues, you should probably have:
Not bad!
I'm a bit surprised we don't wrap on the dots, though.
badssl.com answers on all subdomains. Is there any client that will manage to connect? (I just tried modifying my
/etc/hosts
to point to the IP for that subdomain directly, but I still getcurl: (6) Could not resolve host
.)
The infinite redirection one is great for testing bots and other things that just grab URLs when you post them into IRC.
The DNS one should probably not work, although it may work with local hosts on some OSs. We wouldn't even need to really implement it aside from a link on the home page. :) Mostly it would just be a way to test those error pages.
The URL one behaves differently in every browser and client, but would probably need a page.
Woohoo! I broke Chrome! Who should I send my mailing address to in order to collect my bug bounty?
Woohoo! I broke Chrome! Who should I send my email address to in order to collect my bug bounty?
How broken?
hehe, I can intercept the passwords of everyone on the network (linked from VRP page) OR no biggie, but fix plz?
How broken?
Well, it's a clear buffer overflow of their security warning div tag. It doesn't even fit on the screen!
How do you feel about things that test generic client issues, and not just TLS related things?
For example: https://infinite-redirect.badssl.com/
Or: https://technically-speaking-this-really-long-hostname-is-in-violation-of-rfc1035-but-tbh-i-do-what-i-want.badssl.com/
Or: https://long-url.badssl.com/while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner-while-technically-compliant-with-rfc7230-this-url-nevertheless-breaks-most-clients-and-should-probably-not-actually-be-used-in-practice-and-while-you-might-think-i-could-just-ramble-until-this-url-was-at-least-2084-characters-long-i-actually-have-a-day-job-and-so-am-just-going-to-repeat-this-ad-nauseum-so-there-neiner-neiner