Making ENS farther from becoming a Web 3.0 infrastructure

Yesterday, domain name trader “Hero Jie” published an article titled “Please stop registering all ENS domain names because it is worthless” on his personal Mirror. Hero Jie claims to be a senior Web2.0 domain name trader. He has sold many well-known domain names such as xiaomiquan and wuyinli, and still holds the high-quality domain name ouyi.

The article pointed out a design omission caused by an invisible “ZWJ (zero-width character)” that is burying a major security risk for ENS. The article has been widely circulated in some crypto communities, and has caused some investors to question ENS.

This problem allows multiple .eth domains that are identical to the naked eye to appear at the same time. Just as Web3.0 revolutionized the outdated traditional Internet, in the Web3.0 era, ENS also brings new and upgraded methods to phishing attacks that have not appeared in Web2.0.

At this stage, the “.eth” domain name is more widely used as a “screen name”. A unique eth domain name is like a QQ account in the Web2.0 era. In such an application scenario that is difficult to call infrastructure, although some design omissions may cause trouble to users, they cannot shake the leading position of ENS as a decentralized domain name.

And after the vision of ENS is realized, can this omission still be ignored? “Decentralised naming for wallets, websites, & more.” This is the grand mission written in striking fonts on the ENS official website. In this vision, ENS will become the domain name system for naming all digital resources, opening theblockbeats.eth is as natural as opening, and the zero-width characters of ENS will bring far-reaching security risks to the entire Web3.0 world at this time. .

Zero-width characters make ENS one step closer to becoming a Web 3.0 infrastructure.

I, V God, make money

When you see “vitalik.eth”, who do you think this person is? There is no doubt that this ENS domain name is owned by Buterin. So, can I register this domain name? According to the rules of ENS, this domain name has been registered, and other users naturally cannot register the same domain name. But it is worth noting that here only refers to the exact same domain name for the computer. So, is there any way for me to find a domain name that is different from the Butterfly domain name but looks the same?

Of course you can, as long as you insert the ZWJ anywhere.

ZWJ (zero width joiner) is a zero-width character, and this symbol is quite special. For computers, ZWJ is still a character with a separate encoding in the Unicode character set, and you type this character in Word and it will still be counted in the word count. The width of this character is 0, which means that zero-width characters are completely invisible to the naked eye.

This means that I can register an ENS domain name that looks exactly the same as the Buthen domain name by inserting zero-width characters anywhere in the word “vitalik”.

When registering an ENS domain name, simply type “%E2%80%8C” or “%E2%80%8D” anywhere to insert a zero-width character into a word. In this way, a V God with the same ENS can be successfully registered. If after inserting zero-width characters, it is still registered in advance, you can even insert two, three, four…

If the ENS of the domain name is not good, the narrative will be unsustainable

ENS is not only one of the important infrastructures of the Ethereum network, but also an important infrastructure of the Web3.0 network. The founder of ENS has publicly stated that the vision of ENS is to be “a domain name service provider for every digital resource in the world”. Not only the user’s account name, but also the naming system of the entire Web3.0 network.

Remember the early days of imagination about the initial version of Web 3.0? Decentralized storage saves files, decentralized domain names provide an addressing system, smart contracts have on-chain computing capabilities, and decentralized wallets act as payment channels. In this version of Web3.0, everything runs on decentralized Web, permissionless, censorship-free, this is a truly free internet. In this release, using a Web3.0 browser to access theblockbeats.eth is as natural as opening

Unfortunately, this version of Web3.0 has not yet been implemented. And mainstream browsers have not yet supported access to .eth domain names. Although ENS is still under construction, it seems unlikely that it will become the mainstream infrastructure for this version of Web 3.0. If it is really built, it will also leave huge security risks for web surfing in the Web3.0 era.

Thinking back carefully, how did you open this article?

You must have seen a link to this article somewhere, and a mouse or finger click took you to this page. Rather than typing a long string of into the address bar. Needless to say, almost all users are using URLs to surf the web. One after another criss-crossing hyperlinks constitute the Internet in our current era. Hyperlinks organize the complicated information on the Internet. Hyperlinks provide search engines with the technical basis for finding information. Hyperlinks provide information with an open and free interconnection channel. , it can be said that without hyperlinks, there would be no Internet in today’s world.

Can a Web3.0 website based on an ENS domain name do all this? At least for now it is extremely difficult. Because it brings us a great security risk.

In the era of Web 2.0, phishing website attacks are causing serious losses to netizens all over the world, even when the domain name cannot be duplicated. Imagine that you see a link shared by a netizen while surfing the Internet. The link is “visible” to a well-known platform. The spelling of the domain name and the real address are exactly the same, so you click on it. But it’s actually a phishing site faked through zero-width characters.

When users are just making peer-to-peer transfers, the habit of manually entering zero-width characters may be an innocuous prank. And that all changed when ENS tried to fulfill its mission of naming all digital resources. The phishing of Web2.0 is only similar in domain names, while the phishing of Web3.0 has been iterated to be completely consistent. This would be a major security risk.

We live in an internet woven from hyperlinks. DeFi, trading platform, Web3.0 blog, Web3.0 social networking; website links, dapp links, API interface links, entry links for all use cases… If the .eth domain name that exists in the form of links is no longer credible, how does .eth expand Its use case beyond “screen name”? How to become a Web3.0 infrastructure? How does the grand narrative of the ENS domain name continue? This risk may fundamentally impact the ENS valuation system.

Ironically, this problem doesn’t even exist in Web 2.0.

How does Web2.0 solve this problem?

The solution for Web 2.0 is simple and straightforward – using a mix of zero-width characters and Latin letters as domain names is not supported. For details, please refer to the “UTS46” standard of the “IDN2008 Specification”.

Earlier we mentioned the two mysterious codes of zero-width characters “%E2%80%8C” and “%E2%80%8D”. This is UTF-8 encoding in hexadecimal. Their Unicode numbers are “U+200C” and “U+200D” respectively. These characters are often used in scripts such as Arabic and Indic to control whether ligatures occur between characters. In most other languages, you can’t type this character.

In the domain name registration of Web2.0, such more special characters are not accepted. But this does not mean that Web2.0 does not have similar attack methods. In fact, phishing websites disguised by similar-looking domain names have always existed widely in the Web 2.0 world.

For example, can you accurately distinguish between “e” and “е”, “a” and “а”, “Ο” and “O”, and “О”? These letters include the Latin alphabet that we use frequently, and the lesser Cyrillic and Greek letters.

Initially, domain name registrations only supported ASCII characters, the “English letters” and Arabic numerals as we speak. This is also the most widely used character set around the world. Almost all devices that support character display support ASCII, but they may not be able to display other characters normally. After the popularization of IDNs (Internationalized Domain Names), domain name registration has added support for multiple languages ​​and characters, extending the supported characters from the ASCII character set to some Unicode character sets. This allows people all over the world to register domain names in their native language. Taking Chinese as an example, you can directly access Xinhuanet through “http://Xinhuanet.china/”.

It is not difficult to find characters similar to the Latin alphabet in so many scripts. This kind of fraudulent use of similar characters disguised as phishing websites has gradually increased. This fraud is known as a homograph attack.

Back in 2001, security agents in Israel published a paper called “The Homograph Attack” and registered a variant of that contained Cyrillic letters. This is also the first homograph fraudulent domain name that can be verified. It can be said that the homograph problem has a long history in the Web2.0 era, but its harm and severity are far less than the ENS domain name of Web3.0.

Let’s take a group of IDN domain names as an example: ԚԚ.com, аӏірау.com, аӏірау.com. Open these domain names, what can you see?

The browser automatically converts the domain name to a domain name starting with “xn--“, which is called Punycode.

In the specification of “IDNA2003”, in order to avoid homograph fraud, domain names should undergo secondary processing, a process called “compatibility normalization (NFKC)”. In non-ASCII character domains, all characters can be converted by Punycode to the more general ASCII characters (“xn--” domains). This encoding method follows the UTR36 standard and has been used by mainstream browsers, which reduces the risk of homograph attacks from the user side.

Similarly, ICANN has also made corresponding specifications for the registration of IDN domain names. Domain name registration organizations in various countries are also gradually following up. For example, the Russian domain name management agency has banned the mixing of Cyrillic and Latin letters in .ru domain names.

ENS domain names undoubtedly support far more characters than DNS domain names. Not only can you use various characters to register domain names like DNS, but you can even use emoji to register domain names, as well as the hotly debated security risk zero-width character registration domain name. (It is worth mentioning that emoji domain names are not a special case of Web3.0, and root domain names such as “.tk” and “.ws” in traditional domain names also support emoji registration.)

In Web3.0, can we eliminate this hidden danger through similar means?

Facing homograph attack, ENS developers have ambiguous attitude

Sadly, the ENS developers don’t seem to plan to address this from the registry entry.

In discussions in the ENS community, this issue has been raised by users as early as April 2021. The ENS developers explained that the support for zero-width characters is at the contract level, so there is no way to remove these characters that may be used for fraud. In addition, there is a more important reason – zero-width characters underpin the use of emoji in ENS.

ENS founder nick.eth responded to the zero-width character issue: “We’re not as strict as ICANN on most gTLDs, and domains like emoji use ENS very well.” “ENS prohibits parsing Domain names that are not UTS-46 canonical are not implemented at the contract level – it is impractical to write the spec into a contract – this should be part of the problem that the client needs to solve.” Of course, he also made positive comments for users. “We will consider supplementing the normative rules to prohibit the situation you find.”

The number of emoji is complicated. In fact, a large number of emoji are composites of basic emoji. For example, “woman”, “zero-width character” and “rocket” will be recognized by the computer as “astronaut” when connected together. . With zero-width characters, more expressions can be incorporated on the basis of a reduced code set. And this is the basis for ENS to support almost all emoji. Therefore, ENS cannot mask the use of zero-width characters.

Earlier we mentioned the “.tk” domain name of Web2.0, which is the first domain name in the world to support emoji. How does the traditional Web2.0 domain name solve this problem? In the “UTS46” standard of the “IDN2008 Specification” mentioned above, the use of zero-width characters in different scripts and in emoji are strictly regulated.

During discussions in April, nick explained to community members that the use of zero-width characters is at the smart contract level, “but that’s fine, ENS has always been designed that way.” “The whitelist rule is useless here because Domain names can contain multiple characters, not just emojis.”

Risk control and hidden danger elimination

As of now, we haven’t seen any contract-level fixes from the ENS team to fix this security risk. All the prevention of this risk is made by the centralized Web2.0 front end.

In OpenSea, ENS domain names that contain zero-width characters are marked with a yellow exclamation point.

At etherscan, ENS domains with the same vulnerability are marked with an asterisk.

On Metamask, although no additional risk warning is given, Metamask can recognize that the string contains a zero-width character and display this character with “?”.

With the help of centralized means, the security risks of ENS domain names are reduced to a certain extent. But when we enter a completely open Web3.0 world, how much will centralized means play? If this hidden danger cannot be eliminated, ENS is still far from his vision of naming all digital resources.

Someday in the future, someone will send you a link to an announcement at http://www.binance.eth, do you dare to click it?

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.