[Python-Dev] [ssl] The weird case of IDNA
Christian Heimes
christian at python.org
Sat Dec 30 08:35:35 EST 2017
On 2017-12-30 13:19, Skip Montanaro wrote:
> Guido wrote:
>
> This being a security issue I think it's okay to break 3.6. might
> even backport to 3.5 if it's easy?
>
>
> Is it also a security issue with 2.x? If so, should a fix to 2.7 be
> contemplated?
IMO the IDNA encoding problem isn't a security issue per se. The ssl
module just cannot handle internationalized domain names at all. IDN
domains always fail to verify. Users may just be encouraged to disable
hostname verification.
On the other hand the use of IDNA 2003 and lack of IDNA 2008 support [1]
can be considered a security problem for German, Greek, Japanese,
Chinese and Korean domains [2]. I neither have resources nor expertise
to address the encoding issue.
Christian
[1] https://bugs.python.org/issue17305
[2] https://www.unicode.org/reports/tr46/#Transition_Considerations
More information about the Python-Dev
mailing list