The benefits of the zero-width symbol over ENS will be greater than you might think.

区块律动BlockBeats view 52206 2022-1-10 10:31
share to
Scan QR code with WeChat

Yesterday, “Hero Jie,” a veteran Web2.0 corporate registrar, posted an article on his personal mirror titled “All names on ENS are invalid, please leave a comment.” register registration. "Hero Jie is claimed to be the main provider of Web2.0 domain names, has sold many famous brands such as xiaomiquan and wuyinli, and also owns the best brand name ouyi.

The article pointed out that the development due to the absence of "ZWJ" (Zero Width Characters) poses a significant risk to the security of the ENS.The phrase has grown in some crypto communities and has surprised some investors about ENS.

This issue can cause many similar .eth domains to appear simultaneously with the naked eye. Just as Web3.0 revolutionized the existing Internet, in the age of Web3.0, ENS introduced a new upgraded phishing attack method that was not seen in Web2.0.

actual level,".Eth" domain names are used more frequently than "screen names". A unique eth name is similar to a QQ account in the Web2.0 era.In this application, which is difficult to ask for for construction, part of the design will hurt the users, but in the end, it will not be able to affect the homing of the ENS in the recording list.

And once the vision of the ENS has been realized, can we still ignore it? "The portfolio, the site tooSuite“It is a great responsibility boldly written on the official ENS website. In this vision, ENS will become the registered domain name for all digital assets, opening theblockbeats.eth would be like opening theblockbeats.info, and the zero-width symbols in ENS would make it more secure. Good luck to all Web3. do Global 0 ..

Zero-width generation takes ENS one step further into the Web3.0 infrastructure.

Me, my God, I play with money

Who do you think this person is when you watch “vitalik.eth”? There is no doubt that this ENS domain name is from Buterin. Can I register this name? According to ENS rules, this domain name is already registered and no other user can register the same domain name. However, it should be noted that we only send the same domain name for these computers. So, is there a way to come up with a different domain name that is the same as the butterfly print?

details, just insert ZWJ anywhere.

The ZWJ (zero-width joiner) is a zero-width joiner, and this symbol is very special. On a computer, a ZWJ is always a symbol and has an independent Unicode character set, so if you type that symbol in Word, it is still considered a word. These symbols are zero width, which means zero width symbols are invisible to the naked eye.

This means that by inserting the zero width symbol anywhere in the word "vitalik" you can register the ENS name which is synonymous with your V-God name.

零宽字符对ENS的影响 或比你想象的更大

When registering an ENS domain name, just type "" or "‍" anywhere to insert zero-width characters into a word. This way, V God with the same ENS can register well. You can insert two, three, or four if, after inserting the zero-width characters, they are still listed in the dictionary.

The description does not last long because the ENS record name is incorrect.

ENS is not only one of the key components of the Ethereum network, it is also an important factor in the development of the Web3.0 network. The founders of the ENS have publicly declared that the vision of the ENS is to become "the leading provider of all digital services in the world". It is known for the entire Web3.0 network, not just the user account.

Do you remember your first impression of the early days of Web 3.0? Distribution of records, distribution of records, provision of addresses, smart contracts capable of counting phones and distribution of wallets based on payments. In this version of Web3.0, everything that runs on the web is decentralized, authorized, censored, it is a truly free internet. In this version, accessing blockbeats.eth using the Web3.0 browser is equivalent to opening blockbeats.info.

Unfortunately, this version of Web3.0 is not yet available. And mainstream browsers do not yet support accessing .eth domains. ENS is still under development, but it does not appear to be a major fix for this version 3.0 site. If truly designed, it would pose a huge risk to shipping in the Web3.0 age.

If so, how did you come to write this article?

You may have already found a link to this article, click your mouse or finger to point it to this page. Not a long line at https://www.theblockbeats.info/news/28611 in the address bar. Needless to say, almost all users surf the web using URLs. Hyperlinks to the Internet Today Hyperlinks Create Complex Data on the Internet Hyperlinks provide basic technology for search engines to find information. Without hyperlinks, the modern world would be without the Internet.

Can Web3.0 comply with ENS registration for all of these? It's very hard, at least for now. Because it poses a serious security risk.

In the era of Web 2.0, phishing attacks have wreaked havoc on Internet users around the world, even though the domain name could not be established. Imagine that you are surfing the Internet and see a link shared by a surfer.The "Visible" link is clickable because the domain name and the physical address are spelled exactly the same on well-known platforms. But in fact, it is a phishing rig website with zero width characters.

There is no risk associated with the behavior of users of manually entering zero-width characters when switching to peer-to-peer. Everything changed when the ENS was set up to fulfill its role of membership in all digital services.Phishing in Web2.0 is similar in terms of recording, but phishing in Web3.0 has been redesigned to match perfectly.it can be very dangerous.

We are hyperlinks online. DeFi, trading platform, Web3.0 blog, Web3.0 social network, website link, app link, API interface link, subject link for all use cases ... if the domain name. eth present as a link is no. can't believe it anymore. How does .eth continue to use "screen name" data? How to build a Web3.0 infrastructure? How does the epic of enrollment at the ENS continue? These risks can have a significant impact on the ENS measurement system.

Ironically, this problem does not exist in Web2.0.

How does Web2.0 solve this problem?

The solution for Web 2.0 is simple and clear.Combining zero-width and Latin characters in registers is not acceptable.For more information, see specification "UTS46" in "IDN2008 specification".

In the past, we have dealt with two ambiguous symbols between the zero-width characters "" and "‍". This is the UTF-8 encoding of hexadecimal. The Unicode numbers are "U 200C" and "U 200D" respectively. These symbols are often used in scripts such as the Arabic and Indian languages ​​to control the way ligatures occur in characters. You cannot type these characters in another language.

The Web2.0 domain name does not allow these unique characters. However, this does not mean that Web2.0 does not have a similar attack. In fact, phishing websites that hide similar names are still present in the Web2.0 world.

For example, do you know the difference between "e" from "е", "a" from "а", "Ο" from "O" and "О"? These letters include the Latin alphabet that we commonly use, as well as the Cyrillic and Greek alphabets.

Initially, the domain name only supports ASCII characters, "English" and Arabic numbers as we speak. It is also the most widely used symbol in the world, and almost all devices that support ASCII characters, but will not publish other native characters. With the popularity of internationalized domain names (IDNs), registrants have extended ASCII support characters to certain Unicode characters, adding support for multiple languages. This allows people all over the world to register in their native language and directly access Xinhuanet at "http: //Xinhuanet.china/", for example in Chinese.

It is not difficult to find letters like Latin letters in many letters. The use of similar characters as fake phishing website for fraud purposes is increasing. This fraud is called a homomorphic attack.

In 2001, Israeli security officials published an article titled "Isomorphic Attacks" and recorded a variant of microsoft.com with Cyrillic symbols. It is also the first register of homophobic scams identified. Although the homozygote problem has a long history in the Web2.0 era, its damage and severity is less than that of the ENS registry in Web3.0.

Take the IDN domain name as an example. .com, аӏірау.com, аӏірау.com. What do you see when you open this domain name?

零宽字符对ENS的影响 或比你想象的更大

Your browser automatically translates domain names to domains beginning with "xn--", an encoding called Punycode.

The "IDNA2003" specification requires that registrants receive a second process called "Compatibility Normalization (NFKC)" to prevent homozygous fraud. All non-ASCII characters can be converted from Punycode to multiple ASCII characters ("xn--" domain). This encoding method follows the UTR36 standard and is used by major browsers to reduce the risk of user-side isomorphism.

Likewise, ICANN applied this custom when registering the IDN domain name. Registration in many countries is also gradually being followed, for example, the Russian government has banned the combination of Cyrillic and Latin characters in .ru names.

ENS domain names support much more characters than DNS domain names, not only can you register domain names with multiple names like DNS, but you can also register domain names with emoticons. This time we are talking about security risks. (It should be noted that emoji namespaces are not unique to Web3.0. Root names such as ".tk" and ".ws" on existing domain names also support emoji registration. )

Is there a similar way to remove hidden threats in Web3.0?

Faced with the homomorphic attack, the manufacturers of ENS lack clarity.

Unfortunately, the ENS developers do not seem to intend to fix this problem during registration.

In a discussion from the ENS community, this issue was raised by early adopters in April 2021. The ENS developers explained that support for zero-width characters is promising. , so there is no way to remove these symbols which can be used to deceive. Additionally, there are several important reasons why zero-width characters support the use of emoticons in ENS.

零宽字符对ENS的影响 或比你想象的更大

Regarding the zero-width issue, ENS founder nick.eth said, “We are not as strict as ICANN for most gTLDs, and both administrators and emoticons use ENS well. “The ENS prohibits the exclusion of recordings that are not covered by the UTS-46 standard. It is not used in the contract, so there is no need to include any information in the contract. This should be part of the problem the user needs. resolve. "Of course, it also provides user feedback." We will make another decision. A policy that restricts the situation you see. "

The number of emoticons is complex. In fact, many emojis are a simple mix of emojis. For example, "female", "zero width character" and "rocket" are recognized by the computer as "astronaut" when they are connected. Together .. zero-width characters allow you to join multiple sentences as a subtraction. And this is the basis on which ENS supports almost all emojis.Therefore, ENS cannot prevent the use of zero-width characters.

In my previous article I mentioned the ".tk" domain name of Web2.0, the world's first domain name that supports emoji, the existing Web2.0 domain name will be resolved. How is this problem? The "UTS46" model of the "IDN2008 specification" mentioned above strictly regulates the use of zero-width symbols and the use of emoticons in other texts.

零宽字符对ENS的影响 或比你想象的更大

In an interview in April, Nick explained to community members that the use of zero-width symbols is at the smart contract level."It doesn't matter, though. ENS has always been designed that way.""The free registration rule is unnecessary here, because domain names can have many symbols, not just emoji."

Manage risks and eliminate hidden risks

To date, we have not seen any action taken by the ENS team to address risk risks at the contract level. All precautions against this risk are taken from the middle of the Web2.0 front-end.

In OpenSea, ENS domain names with a zero width symbol are marked with a yellow dot.

零宽字符对ENS的影响 或比你想象的更大

ENS domains with the same drawback in etherscan are marked with a star.

零宽字符对ENS的影响 或比你想象的更大

While there is no other danger warning from Metamask, Metamask recognizes that the string has zero-width symbols and may place these symbols as "?".

零宽字符对ENS的影响 或比你想象的更大

With the help of centralized means, the security risk of ENS enrollment is reduced to some extent. But what is the main role in the open world of Web 3.0? If the hidden threat cannot be ruled out, the ENS is still a long way from its vision of giving a name to all digital resources.

In the future, someone will submit the attached link to www.binance.eth. Do you want to click?

btcfans公众号

Scan QR code with WeChat

Disclaimer:

Tags: Web3.0 ENS
Previous: How will blockchain technology and NFTs be implemented in 2022? Next: The bombardment of Ponzi schemes and the protection of the environment in the public opinion! Mozilla announced today that it should not be providing cryptocurrency.

Related