Punycode domains could wreak havoc in security world.

Posted by Duane at 2005-02-08 00:39:08

Finally someone has shown what everyone feared, that punycode can cause big problems with security where you can think you are going to the real site (in this case paypal.com) but in reality you are going to a fake site that has created it's domain to look like another. This is a valid concern in all browsers except Internet Explorer, and only because Microsoft had failed to implement any new major features in their browser of late. Verisign can come to the rescue and provide you with a punycode plug-in for MS IE that's also able to take advantage of the problem. It's possibly the only time Microsoft's lax attitude to giving people what they ask for will save us from more wide spread abuse of this. See here for more details about this problem.

In short punycode is a way of encoding mutliple language characters in domain names without causing major changes in the way that domains work to accommodate this directly...

eg... a domain that looks like paypal.com (using cyrilic characters for one of the a's) is

www.xn--pypal-4ve.com

which you can then put a link on your website as...

www.pаypal.com

and it will all just work, except that it's not really paypal's website, it's the browser converting unicode characters into printable form to make it seem like it's paypal...

So because of the worries about this problem and security in general that CAcert has decided to not issue certificates for any domains that contain punycode caracters.

[ Go Back ]