Home / Blogs

IDN and Homographs Spoofing

There is a published spoofing attack using homographs IDN. By using a Cyrillic SMALL LETTER A (U+430), Securnia is able to pretend to be http://www.paypal.com/.

Actually this is well-documented in RFC 3490 under the Security Consideration:

“To help prevent confusion between characters that are visually similar, it is suggested that implementations provide visual indications where a domain name contains multiple scripts.  Such mechanisms can also be used to show when a name contains a mixture of simplified and traditional Chinese characters, or to distinguish zero and one from O and l.  DNS zone adminstrators may impose restrictions (subject to the limitations in section 2) that try to minimize homographs.”

The problem is that many of the current IDN implementations did not provide any indication that it is an IDN names (instead of a normal one). In fact, Mark Davis1 published a snipplet of code to demostrate how to do despoofing in 2002.

But the fact Secunia is able to register paypal.com (with Cyrillic a), ie xn—pypal-4ve.com begs a question - why are they able to do so?

Even though we have been asking Verisign registry to implement RFC 3743 (aka JET Guidelines) or to follow ICANN IDN Guidelines (specifically on language tag) for many years, they have not done so, and instead opt to allow any IDN strings to be registered. This homographs spoofing attack would not be possible if Verisign have done appropriate step to associate each registered internationalized domain name with one language or set of languages and employ language-specific registration and administration rules that are documented and publicly available (as recommended by ICANN IDN Guideline).

Now, given Verisign is a security company, the “Trust Company”, and they have been following the IDN standardization work from the beginning, I am sure this is well-known to them. Lets hope this report will help change their position before a real phishing attack occurs.

1 Mark Davis is the president of Unicode Consortium.

By James Seng, Vice President

Filed Under


Geoff Sisson  –  Feb 8, 2005 12:22 PM

While limiting IDN labels to codepoints associated with a single language (as per the ICANN IDN guidelines and RFC 3743) does significantly mitigate the problem, it does not eliminate it.  For example the first label in ѕе&#x0445.com contains Cyrillic codepoints only, yet in many browsers is easily confused with its US-ASCII equivalent.  This isn’t an indictement of the guidelines, just a warning that they should not be viewed as a magic bullet.

Geoff Sisson  –  Feb 8, 2005 12:44 PM

[ The link in my previous comment was incorrectly rendered; it should have been: ѕех.com ]

James Seng  –  Feb 9, 2005 2:45 AM

Update: Mark Davis poined out a UTR #36 Security Consideration for Implementation of Unicode and other Related Technologies.

Ben Laurie pointed out I have incorrectly attribute the IDN spoofing to Securnia - it was Eric Johnson.

James Seng  –  Feb 18, 2005 12:07 AM

Update: Found a better reference to the idea Mark Davis proposed back in 2002.

Jerry Burns  –  Mar 2, 2006 4:40 AM

I own the Cyrillic IDN you list (not paypal).  I bought it for fun, not phishing, like buying a fake Rolex that I would never wear. I hate to sound defensive, but you are certainly not the only one to pick on that one domain. It does not pretend to be the original site.  Phony bank, credit card, etc sites and scum/spyware are the real threat. 

Thanks for mentioning paypal, but why pick on my site?  There are several variations of triple X, xbox, xp dot com and many other IDN sites.  If someone registers an ASCII domain name with the word “Microsoft” in it, they are likely to be sued if they use it to deceive. Let the current system handle it along with MS IE7 and other anti-phishing software.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC