Phishing with Unicode domains

Xudong Zheng:

Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain “xn--s7y.co” is equivalent to “短.co”.

From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0061). This is known as a homograph attack.

Wow. This is really scary. Take a look at his example of making Apple.com’s URL look correct but end up at a potential phishing site.



  • Only worked in Chrome, Opera and Firefox, latest version of Chrome resolves it. It can be turned off in Firefox. Safari is safe.

  • Sigivald

    SSL should help a little with that (https! Is there anything it can’t do?).

    I’m tempted to agree that browsers should refuse to render unicode in the location bar or addresses for any language that isn’t mapped to the machine’s locale, by default.