I got interested in IDN homoglyphs and would like to share a few observations that I made (while IDN homoglyph generator based on IDN Tables and Unicode Technical Standard #39). Also, I made a proof-of-concept attack using an IDN homoglyph to do a man-in-the-middle attack on a website with mixed content to make an illusion of HTTPS-secured connection.
1. IDN Tables are more numerous then necessary and are sometimes redundant.
Consider the following example: TLD .קום has 97 active IDN Tables, most of which are from entirely unrelated languages and even different continents. Note that two of these tables is Ukrainian and Cyrillic.
1.1. First of all, Ukrainian table is entirely unnecessary from usability perspective, since no Ukrainian would ever use this TLD as we have a completely different script system: Cyrillic. I can not even imagine how someone would even type this address.
1.2. Secondly, Ukrainian is entirely included in Cyrillic, thus does not really require a separate table. It might be a good idea to recommend registrars to remove (retire) IDN tables that are proper subsets of other tables or, better yet, not use overly permissive tables.
1.2. More importantly, Cyrillic contains a few code points similar to Latin, thus might allow homoglyphs for some of non-IDN second-level labels, that are recorded in in the DNS as usual ASCII strings (not Punycode).
2. I made a proof-of-concept man-in-the-middle attack with a Homoglyph. 2.1. Unsurprisingly, I was able to register a whole-script Cyrillic homoglyph (in COM space) for a usual ASCII domain and
2.2. got a valid TLS certificate for it.
2.3. Then, I proxied all HTTP traffic on my computer via a server that would redirect all HTTP for that specific domain to the homoglyph with HTTPS.
3.3. This simple system allowed me to visit "secure" HTTPS original site and then click an HTTP link to another page and be redirected to
HTTP://original -> my local server ->
HTTPS://homoglyph, resulting in visually undetectable man-in-the-middle attack.
Sincerely,