[Python-Dev] [ssl] The weird case of IDNA (original) (raw)
Christian Heimes christian at python.org
Sat Dec 30 08:35:35 EST 2017
- Previous message (by thread): [Python-Dev] [ssl] The weird case of IDNA
- Next message (by thread): [Python-Dev] [ssl] The weird case of IDNA
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2017-12-30 13:19, Skip Montanaro wrote:
Guido wrote:
This being a security issue I think it's okay to break 3.6. might even backport to 3.5 if it's easy?
Is it also a security issue with 2.x? If so, should a fix to 2.7 be contemplated?
IMO the IDNA encoding problem isn't a security issue per se. The ssl module just cannot handle internationalized domain names at all. IDN domains always fail to verify. Users may just be encouraged to disable hostname verification.
On the other hand the use of IDNA 2003 and lack of IDNA 2008 support [1] can be considered a security problem for German, Greek, Japanese, Chinese and Korean domains [2]. I neither have resources nor expertise to address the encoding issue.
Christian
[1] https://bugs.python.org/issue17305 [2] https://www.unicode.org/reports/tr46/#Transition_Considerations
- Previous message (by thread): [Python-Dev] [ssl] The weird case of IDNA
- Next message (by thread): [Python-Dev] [ssl] The weird case of IDNA
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]