[Security-sig] Lack of IDNA 2008 support
Christian Heimes
christian at python.org
Tue Oct 11 11:41:33 EDT 2016
Hi,
Python has only IDNA 2003 support (international domain names). I'm
starting to consider Python's lack of IDNA 2008 support a security issue
for DNS lookups and for cert validation. Applications may connect to the
wrong IP address and validate the hostname, too. IDNA 2008 is mandatory
for German .de domains. See https://bugs.python.org/issue17305
Wrong:
>>> import socket
>>> u'straße.de'.encode('idna')
'strasse.de'
>>> socket.gethostbyname(u'straße.de'.encode('idna'))
'72.52.4.119'
Correct:
>>> import idna
>>> idna.encode(u'straße.de')
'xn--strae-oqa.de'
>>> socket.gethostbyname(idna.encode(u'straße.de'))
'81.169.145.78'
I neither have time nor expertise to implement IDNA 2008. The ticket
17305 is more than three years old, too.
Christian
More information about the Security-SIG
mailing list