aparkersquare
commented
2 months ago punycode is one (partial) solution to these types of issues for domain-name spoofing.
Consider this DAP @jack/cash.aрр, which uses cyrylic characters to impersonate a CashApp domain name. When converted to punycode this shows as @jack/cash.xn--a-5tba, exposing the impersonation.
Can the DAP spec be limited to ASCII, and apps use punycode to convert customer-entered DAPs to punycode?
This still relies on the converted punycode to be displayed to the customer (this is done in the address bar for domain-names). I'm not sure there is an equivalent for DAPs.
I think there is a high risk for impersonation of DAPs if the
handleanddomaincan use arbitrary UTF-8.Restricting the
handleto ASCII would preclude the use of "real names" for a very large percentage of the world's population.Similarly, the
domainpart of a DAP should support practical domains, which already support IDNsHow can the DAP spec be changed to help mitigate these risks?