In 2020, having an IDN still isn’t easy

As you know, I own the éé.net domain since April 2011. This domain name has accents, and as such is considered an IDN, an Internationalized Domain Name.

Since around 2003, it is officially possible to register a domain name with non-ASCII characters. This enables non-english speaking countries to get specific domains tailored to their needs. Chinese, Arabic, Indian and other domains for example.

In 2011, I was preparing a research about IDN vulnerabilities. This mostly because it is technically possible to use visually-similar names that are not identical, thanks to the complexity of Unicode. Attackers may register IDNs that look like real domains for users, but that are not legit. Another type of attacks use IDNs to confuse IDS and other network security devices.

That evening, I was really lucky : I started to type random IDN domain names to check, and accidentally found that the éé.net wasn’t registered yet. It was probably one of the few times in my life when I literally rushed on my credit card hoping that nobody would register it before me. Nobody did, and I’m now the proud owner of this domain.

Owning an IDN domain it’s very interesting for testing and experiementation. And in 2020 there are still plenty of major websites and services unable to really manage those domains, including Twitter for example:

Technically, IDNs are translated from and to standard-ASCII using a translation protocol called Punycode. My domain name, for example, translates to xn--9caa.net. You can try by entering it in your browser URI field.

In general, using xn--9caa.net solves the issues when dealing with incompatible apps and services, but it’s not really convenient. For example, To display éé.net/blog on my Twitter profile, I had to type « xn--9caa.net/blog » on the Profile page, otherwise Twitter complained that my URL wasn’t valid. And so many tools, either web or CLI based still don’t recognize my domain unless I use the Punycode-translated form.

The issue is even worse with emails. Because it’s fun to try and because I can do it, I created a éé@éé.net email address. If you wanna have a try, just send me an email (or to xn--9caa@xn--9caa.net if you MTA really complains) and check what happens… Officially it should work, RFC are defined should be correctly implemented. In practice… well…

Yesterday I visited friends, who shared their Wifi account. My IDN is considered as invalid by their ISP, I had to fill a form to explain Swisscom about the issue. Fortunately they were quite quick to understand my concerns, and to whitelist my domain. (btw, is it still legit to say « blacklist » and « whitelist » ?)

So, I can just recommend you to buy an Internationalized Domain Name to experiment with, it’s fun and interesting.

Mine hosts several tools, but is also an URL shortener, thanks to @OZH‘s YourLS tool. As I was the first user with an IDN, I contributed to the corresponding plugin troubleshooting.

No Comments »

Bruno Kerouanton on août 15th 2020 in IT Security

Trackback URI | Comments RSS

Laisser un commentaire