hello everyone.
iād like to start by saying how excited I am about the future of Ethereum and the ENS project. ENS fills a critical need and is visionary in its melding of the functionality necessary for web3.
however, the project suffers from a huge liability and existential threat: zero-width unicode characters, specifically U+200C(ZWNJ) and U+200D(ZWJ), although there may be more of which iām unaware.
the utility of these two characters comes from ligature writing systems such as sanskrit and arabic, as well as some text art and compound emojis. however, the security risks of these characters far outweighs their potential benefit to the project.
the security threat is that spoofers can easily masquerade as a legitimate business or professional interest, such as visa.eth, shopify.eth, eminem.eth, mavericks.eth et al by simply buying the same domain with 1 or more inserted zero-width characters. this destroys the value of legit .eth addresses and undermines the credibility of the project as the public gets scammed, businesses get disrupted, reputations get damaged and professionals lose credibility.
in the public and business mind, the ENS and Ethereum brands will be associated with risks and scams, and folks will move to a more secure and trusted provider. i do not want that to happen!
in short, zero-width is a bug, not a feature. it is a time bomb waiting to happen, so please do not allow this to progress any further or it will be increasingly difficult and costly to remediate.
currently, the ENS web client correctly filters U+200B(ZWS) and U+FEFF(ZWNBS) in the search function. for example, if the user searches for visa with a trailing ZWS, viz U0076\U0069\U0073\U0061\U200B, it resolves to visa with no trailing ZWS(U0076\U0069\U0073\U0061), thus denying the spoofer of the visa.eth domain.
however, this filter is easily circumvented by searching for visa with a trailing U+200C(ZWNJ), viz U0076\U0069\U0073\U0061\U200C. in this case, the scammer is allowed to procure the spoofed visa.eth domain and wreak havoc upon visa, its customers, and the reputation of ENS and Ethereum.
this behavior will destroy the public and business trust. ENS will be treated as a pariah, and people will avoid such a platform to protect their money, business and reputation.
zero width = zero trust
i urge the ENS team to take immediate action to plug this agregious security hole. a first step would be to fix the web client to disallow all zero width unicode characters or filter them out to be equivalent to the same name without such characters. next, all previously acquired domains using zero width characters must be revoked or disabled. to be fair to the small party of speculators squatting on such domains, ENS could refund their money or give them an in-kind 1-for-1 free swap for an available domain. free swaps are fair.
these actions will be a temporary inconvenience, but are necessary to move forward and achieve trust and mainstream adoption. you may say ābut that will be expensive to fixā. that may be so, but it will be orders of magnitude more expensive the longer you wait. in the extreme, you could very well run into a āgame overā scenario.
if this is not addressed, i fear ENS will be relegated to nothing more than a playground - never realizing its vision and potential.
thank you for your attention.
best regards,
tom