
Introducing Internationalized Domain Name (IDN) Support - dwaxe
https://letsencrypt.org//2016/10/21/introducing-idn-support.html
======
jandrese
I assume this is Unicode in domain names?

I can't wait until I start getting phishing mails from domains that use
unicode glyph collision attacks to make them look absolutely legitimate.

Oh, that's not a g in gmail.com, it's some East Asian character on the ass end
of the Unicode character map that just happens to look exactly like a g.

~~~
arm
It doesn’t exactly work that way. Registrars only allow codepoints in specific
ranges (the allowed ranges being different depending on the TLD)¹, so it ends
up not being an issue (full FAQ here²).

Also, more information on internationalized domain names here³.

――――――

¹ — [https://www.dynadot.com/community/help/question/IDN-not-
regi...](https://www.dynadot.com/community/help/question/IDN-not-registered)

² —
[https://www.dynadot.com/community/help/section.html?category...](https://www.dynadot.com/community/help/section.html?category_id=11)

³ —
[https://en.wikipedia.org/wiki/Internationalized_domain_name](https://en.wikipedia.org/wiki/Internationalized_domain_name)

~~~
j4_james
These rules are designed to prevent you mixing codepoints from different
languages, so you couldn't register something that looked like gmail but with
the English 'a' replaced with a Cyrillic 'a'. However, if the name you're
trying to emulate can be reproduced entirely within another language's
character set, you can still impersonate an existing domain.

For example, it may surprise you to know that
[http://www.еа.com](http://www.еа.com) and
[http://www.ea.com](http://www.ea.com) are two different websites, despite the
URLs appearing identical. Edge at least renders the IDN version in its
punycode form, but in Firefox and Chrome the URLs are indistinguishable. It's
quite possible that's a result of my messing with the IDN settings in the
past, though - I'm curious what others see for those links.

~~~
arm
Ah, that’s pretty interesting… wasn’t aware of that loophole!

Interestingly, Firefox 46 does show them both in non-Punycode form in the
address bar (so they both look the same) while Safari 9 _doesn’t_ ¹; it shows
the first URI as its Punycode representation.

――――――

¹ — [http://i.imgur.com/rrNVlIj.png](http://i.imgur.com/rrNVlIj.png)

------
chrismorgan
I don’t understand: why is this a feature that had to be added? IDNs are just
xn--*, right?

~~~
duskwuff
Their initial certification as a CA was contingent on disallowing IDNs,
probably because they weren't yet fully prepared to recognize potential misuse
of IDNs (like homoglyph attacks).

------
arm
Yes! I’ve been waiting for this for quite a while now. Can finally get a
certificate for my .みんな domain.

