Message 294937 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	barry, christian.heimes, jesstess, macfreek, r.david.murray, sdaoden, torsten.becker, zvyn
Date	2017-06-01.13:24:08
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1496323449.0.0.544058406391.issue11783@psf.upfronthosting.co.za>
In-reply-to

Content
zvyn, thanks for your patch. However I'm sorry to say that Python stdlib's IDNA support is fundamentally broken by design. Therefore I'm against any IDNA related patches until we have addresses multiple issues with internationalized domain names. Our naive support of IDNA in socket module and ssl module is a security issue waiting to be happening. * Python blindly assume that 'idna' is the only transformation of IDN U-labels into IDN A-labels. That's just plain wrong. Python's idna is really IDNA-2003. * Besides IDNA 2003 there is also IDNA 2008. Of course the encodings are not compatible to each other. * The old encoding IDNA-2003 and MUST NOT be used for some TLDs like .de because has an incorrect mapping for several characters like 'ß'. * IDNA-2008 does not support upper case letters. Most applications want to use UTR46 mapping for IDNA-2008. * On the application side, mapping of IDN U-labels must go through an additional validation layer to counteract homoglyphic confusion attacks. (e.g. cyrillic 'r' looks like latin 'p'). Before we add more security issues to libraries, we should come up with a plan to address this mess. First step: add IDNA-2008 and UTR46 support to stdlib. I'm deeply sorry for dragging you into this mess. :/ PS: I have removed the 'easy' keyword.

zvyn, thanks for your patch.

However I'm sorry to say that Python stdlib's IDNA support is fundamentally broken by design. Therefore I'm against any IDNA related patches until we have addresses multiple issues with internationalized domain names. Our naive support of IDNA in socket module and ssl module is a security issue waiting to be happening.

* Python blindly assume that 'idna' is the only transformation of IDN U-labels into IDN A-labels. That's just plain wrong. Python's idna is really IDNA-2003.
* Besides IDNA 2003 there is also IDNA 2008. Of course the encodings are not compatible to each other.
* The old encoding IDNA-2003 and *MUST NOT* be used for some TLDs like .de because has an incorrect mapping for several characters like 'ß'.
* IDNA-2008 does not support upper case letters. Most applications want to use UTR46 mapping for IDNA-2008.
* On the application side, mapping of IDN U-labels must go through an additional validation layer to counteract homoglyphic confusion attacks. (e.g. cyrillic 'r' looks like latin 'p').

Before we add more security issues to libraries, we should come up with a plan to address this mess. First step: add IDNA-2008 and UTR46 support to stdlib.

I'm deeply sorry for dragging you into this mess. :/

PS: I have removed the 'easy' keyword.

History
Date	User	Action	Args
2017-06-01 13:24:09	christian.heimes	set	recipients: + christian.heimes, barry, macfreek, r.david.murray, jesstess, sdaoden, torsten.becker, zvyn
2017-06-01 13:24:09	christian.heimes	set	messageid: <1496323449.0.0.544058406391.issue11783@psf.upfronthosting.co.za>
2017-06-01 13:24:08	christian.heimes	link	issue11783 messages
2017-06-01 13:24:08	christian.heimes	create