Security-SIG

Download

security-sig@python.org

October 2016

3 participants
1 discussions

Lack of IDNA 2008 support
by Christian Heimes 12 Oct '16

12 Oct '16

Hi, Python has only IDNA 2003 support (international domain names). I'm starting to consider Python's lack of IDNA 2008 support a security issue for DNS lookups and for cert validation. Applications may connect to the wrong IP address and validate the hostname, too. IDNA 2008 is mandatory for German .de domains. See https://bugs.python.org/issue17305 Wrong: >>> import socket >>> u'straße.de'.encode('idna') 'strasse.de' >>> socket.gethostbyname(u'straße.de'.encode('idna')) '72.52.4.119' Correct: >>> import idna >>> idna.encode(u'straße.de') 'xn--strae-oqa.de' >>> socket.gethostbyname(idna.encode(u'straße.de')) '81.169.145.78' I neither have time nor expertise to implement IDNA 2008. The ticket 17305 is more than three years old, too. Christian

3 3