What is punycode?
Punycode is a representation of Unicode with the limited ASCII character subset used for Internet hostnames. Using punycode host names containing Unicode characters are transcoded to a subset of ASCII consisting of letters, digits and hypens, which is called LHD (Letter Digit Hypen) subset. The DNS (Domain Name System) standards recommend the use of the LDH subset of ASCII. the punycode syntax is a method of encoding string containign Unicode characters into the LDH subset of ASCII.
In other words, punycode is a method to convert words that can’t be written in ASCII (because they use Unicode characters) into ASCII encoding words for use as domain names. For example:
| UTF8 | Punycode |
|---|---|
| rubénhortas.github.io | https://xn–rubnhortas-d7a.github.io |
What is a punycode attack?
A punycode attack is a type of homograph attack. Some unicode characters are very similiar to ASCII characters, making them difficult to distinguish with the naked eye.
As the security researcher Xudong Zheng demonstrates on his post Phishing with Unicode Domains it’s possible to register domains such as “xn–pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0061).
Visually, the two domains are indistinguishable due to the font used by some browsers.
The Unicode consortium provides a long list of confusable glyphs: confusableWholeScript.txt
How to avoid punycode attacks on firefox?
This bug was reported to Chrome and Firefox on January 20, 2017. And was fixed in the Chrome trunk on March 24.
Mozilla has a wiki page explaining how Firefox decides whether to display a given IDN label (a domain name is made up of one or more labels, separated by dots) in its Unicode or punycode form: Mozilla IDN Display Algorithm.
The point is that, with Firefox I’m unable to distinguish the real https://www.apple.com from the Xudong Zheng example https://www.аррӏе.com/. While chrome and chromium shows https://www.xn–80ak6aa92e.com/ instead https://www.аррӏе.com/.
I also checked brave in android and it shows https://www.xn–80ak6aa92e.com/ too.
Although I understand the need and utility of punycode I don’t need this behaviour, and I want it off to reduce my expousure to homograph attacks.
To force Firefox to display punycode names we should open the about:config tab and set
1
network.IDN_show_punycode = true
Enjoy! ;)