[Security-sig] Lack of IDNA 2008 support
Victor Stinner
victor.stinner at gmail.com
Tue Oct 11 11:47:35 EDT 2016
Ah, I read recently an article about IDNA: Firefox uses IDNA 2008,
Chrome uses IDNA 2003. Depending on the browser, you may or may not
reach the domain https://ssz.fr/ :-)
So at least, the issue is not specific to Python.
Is it possible to support both IDNA versions at the same time by
default? Or both versions are exclusive?
Article in french:
https://linuxfr.org/news/bilan-a-un-an-des-domaines-fr-d-une-et-deux-lettres#domaines-internationaux
Victor
2016-10-11 17:41 GMT+02:00 Christian Heimes <christian at python.org>:
> Hi,
>
> Python has only IDNA 2003 support (international domain names). I'm
> starting to consider Python's lack of IDNA 2008 support a security issue
> for DNS lookups and for cert validation. Applications may connect to the
> wrong IP address and validate the hostname, too. IDNA 2008 is mandatory
> for German .de domains. See https://bugs.python.org/issue17305
>
> Wrong:
>
>>>> import socket
>>>> u'straße.de'.encode('idna')
> 'strasse.de'
>>>> socket.gethostbyname(u'straße.de'.encode('idna'))
> '72.52.4.119'
>
> Correct:
>>>> import idna
>>>> idna.encode(u'straße.de')
> 'xn--strae-oqa.de'
>>>> socket.gethostbyname(idna.encode(u'straße.de'))
> '81.169.145.78'
>
> I neither have time nor expertise to implement IDNA 2008. The ticket
> 17305 is more than three years old, too.
>
> Christian
> _______________________________________________
> Security-SIG mailing list
> Security-SIG at python.org
> https://mail.python.org/mailman/listinfo/security-sig
More information about the Security-SIG
mailing list