Remember: IDN is crazy. And just not just a little.
daniel.haxx.se/blog/2022/12/14β¦
https://mastodon.social/@bagder/113650752304420701
https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/
2024-12-14 bortzmeyer β 1π 2#οΈ 2π¬
@bagder For once, you write wrong things. Just one: the "crazy" example you show is disallowed since IDN does not allow many of these characters: afnic.fr/en/observatory-and-reβ¦
#IDN #Unicode
@bagder IDNs use IDNA not just punycode. While punycode is an algorithm that can encode any Unicode character into ASCII, IDNA adds further rules and hence not all characters can end up in a [β¦]
@bagder The really sad part? All this complexity, all this surface area for nasty bugs, all these opportunities for social engineering.. and they don't even work for their intended purpose!! [β¦]
@bagder
Hey, and this does not include the shenanigans with right-to-left-override and its left-to-right counterpart.
[β¦]
@bagder it would be fair if you used for homographs examples domains, where registrars allow mixing of such letters. I am quite certain .com is not such domain, doubt .se also. Registrars are [β¦]
@bagder
Nice read.
[β¦]
@bagder
Get 50% Off FlexHeat Portable Heater β Stay Warm & Save Big! Enjoy efficient, portable heating this winter with our limited-time offer! - bit.ly/4flo5Lt
@bagder IDN-based phishing is the reason I turned of punycode translation in Firefox. So, whenever I see a URL beginning with "xn--" I know this is most likely a phishing attempt.
And if one [β¦]
@bagder and once you start thinking about anti-malware and potential false positivesβ¦ and/or a clean implementationβ¦
ββββ
ββββ