Published: 2009-11-02
Last Updated: 2009-11-02 01:11:04 UTC
by Daniel Wesemann (Version: 1)
3 comment(s)

Two days ago, the ICANN authorized the introduction of country code top level domains (ccTLDs) using character sets other than the latin a-z alphabet. This is no earth shattering change - we had Internationalized Domain Names (IDNs) using greek, cyrillic, chinese, etc character sets for several years. The only change is that now also the top level domain (the rightmost portion of a domain name) can be written in characters other than A-Z.

From a security point of view, things might still get "interesting". Back when the IDNs were originally introduced, look-alike domain names and even SSL connections could be credibly faked. Some web servers, firewalls and IDS products also had huge gaping holes as a result of applying their security checks only in ASCII-Land, and ignoring Unicode completely. The past ten years of experience with IDNs have brought the problem reasonably under control, and expanding the IDNs to include top level domains shouldn't be a big deal. But since we all know how software gets "fixed", chances are still that history will repeat itself, and we will soon read of a web server that readily divulges application source code when hit with a TLD in cyrillic...

Keywords: dns icann
3 comment(s)


What's to stop us from following a link to yаhоо.соm when we meant to go to If your browser doesn't do cyrillic, or if the upload mangles it, the "a", and "" in the first domain name are not ASCII, but cyrillic look-alikes. Okay, there isn't a .**m tld, but you see the problem -- there is a disconnection between how you interpret the on-screen glyph and how the computer interprets the character encoding, which makes it seem over-ripe for phishing.
Hopefully the browser developers will add options for filtering or tagging IDN URIs, especially if they are mixed ASCII and non-latin glyphs.
Time for companies to start looking at the permutations of their trademarks using these many new and similar characters...

Diary Archives