There is a published spoofing attack using homographs IDN. By using a Cyrillic SMALL LETTER A (U+430), Securnia is able to pretend to be http://www.paypal.com/.

Actually this is well-documented in RFC 3490 under the Security Consideration:

To help prevent confusion between characters that are visually similar, it is suggested that implementations provide visual indications where a domain name contains multiple scripts. Such mechanisms can also be used to show when a name contains a mixture of simplified and traditional Chinese characters, or to distinguish zero and one from O and l. DNS zone adminstrators may impose restrictions (subject to the limitations in section 2) that try to minimize homographs.

The problem is that many of the current IDN implementations did not provide any indication that it is an IDN names (instead of a normal one). In fact, Mark Davis¹ published a snipplet of code to demostrate how to do despoofing in 2002.²

But the fact Secunia is able to register paypal.com (with Cyrillic a), ie xn--pypal-4ve.com begs a question – why are they able to do so?

Even though we have been asking Verisign registry to implement RFC 3743 (aka JET Guidelines) or to follow ICANN IDN Guidelines (specifically on language tag) for many years, they have not done so, and instead opt to allow any IDN strings to be registered. This homographs spoofing attack would not be possible if Verisign have done appropriate step to associate each registered internationalized domain name with one language or set of languages and employ language-specific registration and administration rules that are documented and publicly available (as recommended by ICANN IDN Guideline).

Now, given Verisign is a security company, the “Trust Company”, and they have been following the IDN standardization work from the beginning, I am sure this is well-known to them. Lets hope this report will help change their position before a real phishing attack occurs.

¹ Mark Davis is the president of Unicode Consortium.

² Updated 18th Feb: Found a better and working example.

Update: Mark Davis poined out a UTR #36 Security Consideration for Implementation of Unicode and other Related Technologies.

Ben Laurie pointed out I have incorrectly attribute the IDN spoofing to Securnia – it was Eric Johnson.