Phishing with Unicode domains

Xudong Zheng:

Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain “” is equivalent to “短.co”.

From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “”, which is equivalent to “а”. It may not be obvious at first glance, but “а” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0061). This is known as a homograph attack.

Wow. This is really scary. Take a look at his example of making’s URL look correct but end up at a potential phishing site.