The current state of IDN homograph spoofing in 2009 - you don’t need a .CN to do it

Aside from the frightening SSL stuff, Moxie Marlinspike stirred up some good interest in Internationalized Domain Names at Black Hat in DC with his domain lookalike attack. Since I’ve been studying the topic for a while, I wanted to point out some things about IDN people may want to know. At CanSecWest and SOURCE Boston next month I plan to go into it more.

  1. It’s a mess. Wait, I don’t want to sound negative, let’s start over - it’s gotten a lot better. And now, it’s still a mess. The security guidance and boundaries around IDN are scattered between the TLD registry, the registrars, the user-agents, and the IDN specifications. The specs can’t keep pace with the new repertoire, and neither can the frameworks or user-agents.

  2. You don’t need a .CN domain to pull off Moxie’s attack, a .ORG will do the trick. In some browsers, even a .COM will do. I’ll show you how.

  3. IE and Chrome seem to take the safe approach, and just turn most everything to Punycode, but what’s the fun in that? Sort of ruins the IDN experience anyhow.

  4. The other browsers whitelist certain TLD’s, and in some cases allow limited sets of mixed-script.


I haven’t explored how the browsers work in different locales, with different language settings etc. It probably opens up plenty of possibilities.