Message 278493 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	berker.peksag, christian.heimes, era, loewis, marten, r.david.murray, underrun
Date	2016-10-11.14:52:46
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1476197566.37.0.459016304172.issue17305@psf.upfronthosting.co.za>
In-reply-to

Content
I'm considering lack of IDNA 2008 a security issue for applications that perform DNS lookups and X.509 cert validation. Applications may end up connecting to the wrong machine and even validate the cert correctly. Wrong: >>> import socket >>> u'straße.de'.encode('idna') 'strasse.de' >>> socket.gethostbyname(u'straße.de'.encode('idna')) '72.52.4.119' Correct: >>> import idna >>> idna.encode(u'straße.de') 'xn--strae-oqa.de' >>> socket.gethostbyname(idna.encode(u'straße.de')) '81.169.145.78'

I'm considering lack of IDNA 2008 a security issue for applications that perform DNS lookups and X.509 cert validation. Applications may end up connecting to the wrong machine and even validate the cert correctly.

Wrong:

>>> import socket
>>> u'straße.de'.encode('idna')
'strasse.de'
>>> socket.gethostbyname(u'straße.de'.encode('idna'))
'72.52.4.119'

Correct:
>>> import idna
>>> idna.encode(u'straße.de')
'xn--strae-oqa.de'
>>> socket.gethostbyname(idna.encode(u'straße.de'))
'81.169.145.78'

History
Date	User	Action	Args
2016-10-11 14:52:46	christian.heimes	set	recipients: + christian.heimes, loewis, r.david.murray, underrun, berker.peksag, era, marten
2016-10-11 14:52:46	christian.heimes	set	messageid: <1476197566.37.0.459016304172.issue17305@psf.upfronthosting.co.za>
2016-10-11 14:52:46	christian.heimes	link	issue17305 messages
2016-10-11 14:52:46	christian.heimes	create