Zero-width characters pose a security risk and existential threat to ENS

hello everyone.

i’d like to start by saying how excited I am about the future of Ethereum and the ENS project. ENS fills a critical need and is visionary in its melding of the functionality necessary for web3.

however, the project suffers from a huge liability and existential threat: zero-width unicode characters, specifically U+200C(ZWNJ) and U+200D(ZWJ), although there may be more of which i’m unaware.

the utility of these two characters comes from ligature writing systems such as sanskrit and arabic, as well as some text art and compound emojis. however, the security risks of these characters far outweighs their potential benefit to the project.

the security threat is that spoofers can easily masquerade as a legitimate business or professional interest, such as visa.eth, shopify.eth, eminem.eth, mavericks.eth et al by simply buying the same domain with 1 or more inserted zero-width characters. this destroys the value of legit .eth addresses and undermines the credibility of the project as the public gets scammed, businesses get disrupted, reputations get damaged and professionals lose credibility.

in the public and business mind, the ENS and Ethereum brands will be associated with risks and scams, and folks will move to a more secure and trusted provider. i do not want that to happen!

in short, zero-width is a bug, not a feature. it is a time bomb waiting to happen, so please do not allow this to progress any further or it will be increasingly difficult and costly to remediate.

currently, the ENS web client correctly filters U+200B(ZWS) and U+FEFF(ZWNBS) in the search function. for example, if the user searches for visa with a trailing ZWS, viz U0076\U0069\U0073\U0061\U200B, it resolves to visa with no trailing ZWS(U0076\U0069\U0073\U0061), thus denying the spoofer of the visa.eth domain.

however, this filter is easily circumvented by searching for visa with a trailing U+200C(ZWNJ), viz U0076\U0069\U0073\U0061\U200C. in this case, the scammer is allowed to procure the spoofed visa.eth domain and wreak havoc upon visa, its customers, and the reputation of ENS and Ethereum.

this behavior will destroy the public and business trust. ENS will be treated as a pariah, and people will avoid such a platform to protect their money, business and reputation.

zero width = zero trust

i urge the ENS team to take immediate action to plug this agregious security hole. a first step would be to fix the web client to disallow all zero width unicode characters or filter them out to be equivalent to the same name without such characters. next, all previously acquired domains using zero width characters must be revoked or disabled. to be fair to the small party of speculators squatting on such domains, ENS could refund their money or give them an in-kind 1-for-1 free swap for an available domain. free swaps are fair.

these actions will be a temporary inconvenience, but are necessary to move forward and achieve trust and mainstream adoption. you may say “but that will be expensive to fix”. that may be so, but it will be orders of magnitude more expensive the longer you wait. in the extreme, you could very well run into a “game over” scenario.

if this is not addressed, i fear ENS will be relegated to nothing more than a playground - never realizing its vision and potential.

thank you for your attention.

best regards,

tom

this is a huge issue. you are charging people per character for exclusivity and rarity of the name but somebody can make HUNDREDS of copies with zero width joiners that look exactly the same as the original.

Hazards on rarible aren’t enough and they lump in emoji ens names.

One side you have everyday users looking for unique and one of a kind names but these can actually have multiple clones. On the other side you have big business and corporate DNS names that can have clones that look the same when resolved. they look exactly the same in the browser, on dexs, everywhere.

This needs to be top priority imo bc this will seriously erode trust with the community and suffocate ens potential

image2805×775 294 KB

hey guys look I’m vitalik.eth now and there are 1000s of clones of vitalik.eth still available to buy

I’m visa.eth send me your crypto

People are paying premiums for 3 and 4 char domains but there are thousands of duplicates available that look the exact same for 5 bucks?? This is going to blow up if it’s not handled, feels like it’s being ignored

image3024×4032 1.41 MB

I can be amazon.eth
markcuban.eth
walmart.eth

Thousands of clones of each available

Zero-Width space wikipedia says this:
ICANN rules prohibit domain names from including non-displayed characters such as zero-width space, and most browsers prohibit their use within domain names, because they can be used to create a homograph attack, where a malicious URL is visually indistinguishable from a legitimate one.

might be relevant. I don’t know what “Representatives of ENS participate in the greater Internet community: ICANN” means though

exactly this yes but .eth ens domains do not prohibit it

they need to be unresolvable and refund all wallets that bought zero width chars

it’s not just big corporate names but the everyday eth users and crypto lovers that were promised unique names and one of a kind emoji names at premiums that will be upset AND people that wanted unique names that were already taken so they bought the same name with zero width, they need to be refunded

The cat isn’t out of the bag yet, but this will ruin .eth names and absolutely tarnish ens reputation if it’s not fixed no doubt a lot of ppl will be upset

There are also some cyrillic letters letters that look the same using certain font-faces, for example е and e. Apart from some services putting out a warning sign there isn’t much to distinguish ethereum.eth from еthеrеum.eth.

If it was on me I’d rather only allow the standard [a-z][0-9] and hyphens convention in ENS domains, the same ruleset that applies to dot com domains.

Yes only a-z 0-9 plus hyphens and emojis that dont use joiners

I hope the team realizes that this will only get bigger and so will the cost to fix it, better to do it now and refund all ppl who bought any unresolvable names on the other side of this.

def no chance any names will be refunded, although theoretically it mgiht be possible. but dont worry, the fees will be put to good use by the decentralized ens community.

anyway you will see that this is not a problem, ens will negate any issue or problem brought forward by users

Hey everyone. So this is called a homoglyph attack, which we talk about in our docs here. We recommend services provide a warning if a name has characters like this or mixes alphabets. I know that at least MetaMask and OpenSea do this already. It would be helpful to have this more widely adopted.

Note that the .ETH registrar is a smart contract, we can’t just revoke or replace names (that’s part of the point) and there are no refunds.

Note also that while vitalik.eth (no special character) and vital​ik.eth (with zero width character) look the same, if you just type in “vitalik.eth” it goes to the first one. I tend to think this is mostly a problem for people buying/selling ENS names on secondary markets (someone might get tricked into buying something that isn’t what they think it is), but like I said OpenSea already flags this.

If more needs to be done, we’re certainly open to ideas (but alarmism or trying to force a quick change in the moment isn’t helpful and won’t happen).

in what sense are you open to ideas? Also as you did not respond to that specifically, ICANN rules about zero-width space are not a problem, ENS has nothing to do with that? Or you guys do not agree?

Re the ICANN rule, we’re not a part of ICANN, though we interact with people at ICANN.

“in what sense are you open to ideas”
Not sure what you mean here. If someone has a good practical idea, we may implement it.

ok and besides not being part of ICANN you also do no agree with their idea that a ‘homoglyph attack’ is a problem or something that should be defended against

We do think homoglyph attacks are a problem, which is why we’ve warned against it in our docs, recommended a solution, and in fact some services do use that solution.

So ENS and ICANN have a different opinion on the dangers of an homoglyph attack. why would otherwise come to different solution? seems like ENS regards the dangers as less significant?
edit: misread your message

How about prohibiting or “taxing” homoglyphs / other special characters in domains registered (or renewed) in the future? I know it would be an unfair solution but could also reduce their amount in circulation

One problem is that most homoglyphs are otherwise legitimate characters depending on their context/use (think alphabets of other languages, and ENS is for more than just speakers of languages that use the Latin alphabet).

Not sure if we can prohibit a specific character like the zero width character at the protocol level, but that would be a question for @nick.eth (who is taking this week off). But note that services can always prohibit or put warnings on names that use possibly confusing characters (as some do already).

Since the zero width character is important for emojis, we wouldn’t want to eliminate it entirely. But maybe if it’s not otherwise surrounded by emoji characters? This gets a bit complicated

Its not a solution bc the names still resolve and can accept payments and function like regular .eth names plus a lot of ppl click to copy and paste the name

My biggest issue personally is that ens is charging ppl and has charged me a premium for 3 and 4 character unique .eth names “to reflect the small number of these names available” but there arent a small number available, its near infinite

Zero width joiners are characters that arent really characters.

If i want bob.eth there are 1000s and 1000s of bob.eth names avail with zero width for 5 bucks not the six hundred i paid. Ok so my bob.eth flashes a warning in metamask but that can and will be ignored bc the name resolves and is functional

The culture will be to ignore that warning bc if ppl want to use a name that is taken they just buy whichever zero width version is available and it looks the same as the original everywhere and they just tell friends and fam yeah ignore the warning it’s actually me. Any cool emoji names can be copied countless times.

Like why are you charging ppl premiums for names that can be copied aesthetically and functionally using zero width joiners and telling ppl no refunds.

You can fix it by upgrading registry and migrating no?

I don’t think this is the same. A name like “bob.eth” without zero width characters can just be typed into a wallet. The same name but with zero width characters can’t be. And in most cases people are typing these things in (in fact this is an advantage of ENS over a crypto address which has to be copy and pasted).