Message294937
zvyn, thanks for your patch.
However I'm sorry to say that Python stdlib's IDNA support is fundamentally broken by design. Therefore I'm against any IDNA related patches until we have addresses multiple issues with internationalized domain names. Our naive support of IDNA in socket module and ssl module is a security issue waiting to be happening.
* Python blindly assume that 'idna' is the only transformation of IDN U-labels into IDN A-labels. That's just plain wrong. Python's idna is really IDNA-2003.
* Besides IDNA 2003 there is also IDNA 2008. Of course the encodings are not compatible to each other.
* The old encoding IDNA-2003 and *MUST NOT* be used for some TLDs like .de because has an incorrect mapping for several characters like 'ß'.
* IDNA-2008 does not support upper case letters. Most applications want to use UTR46 mapping for IDNA-2008.
* On the application side, mapping of IDN U-labels must go through an additional validation layer to counteract homoglyphic confusion attacks. (e.g. cyrillic 'r' looks like latin 'p').
Before we add more security issues to libraries, we should come up with a plan to address this mess. First step: add IDNA-2008 and UTR46 support to stdlib.
I'm deeply sorry for dragging you into this mess. :/
PS: I have removed the 'easy' keyword. |
|
Date |
User |
Action |
Args |
2017-06-01 13:24:09 | christian.heimes | set | recipients:
+ christian.heimes, barry, macfreek, r.david.murray, jesstess, sdaoden, torsten.becker, zvyn |
2017-06-01 13:24:09 | christian.heimes | set | messageid: <1496323449.0.0.544058406391.issue11783@psf.upfronthosting.co.za> |
2017-06-01 13:24:08 | christian.heimes | link | issue11783 messages |
2017-06-01 13:24:08 | christian.heimes | create | |
|