Donuts, operator of 239 new gTLDs and managing 5.8 million domain names, has developed its own service that helps to protect registrants in its gTLDs from malicious registrations. The service, called Domains Protected Marks List, or DPML, today protects 3,500 of the world’s largest consumer brands.
The service was enhanced in 2018 to include logic that prevents the registration of malicious homograph internationalised domain names for the entirety of Unicode’s Confusables table, including Latin, Greek, and Cyrillic scripts.
This week Donuts announced that the table contains more than 6,000 potentially confusing characters, 80 of which appear in both Donuts and Verisign’s ICANN approved Latin script tables. Thus, one can see that the issue stretches beyond the three characters identified by Soluble.ai.
Soluble.ai recently highlighted the ability to register lookalike or homograph .com domain names. Their researcher Matt Hamilton was able to register potentially malicious names, including domain names that mimic global consumer brands, using homographs. After being notified of the vulnerability, Verisign took action to combat its exploitation by removing three potentially confusing characters from their Latin script table.
Donuts highlights in their blog post this week one of the domains Soluble focussed on in their study. In the Soluble research study, researchers used the term “Google” where the recent mitigation effort protected 7 potentially malicious domain permutations. But Donuts’ homograph detection identifies and protects 479 permutations of the same name, a sample of five of these permutations are included in the table below.
Donuts asks why not remove all confusable characters from script tables? The answer is that, as Donuts explains, even though some characters have the potential to be adopted for malicious use, the characters themselves are not inherently dangerous.
As Donuts goes on to explain there are many legitimate use cases for these characters and removing them altogether would leave multiple localised alphabets incomplete. For example, they note the “dotless i” Unicode character “ı” (U+0131) is one of the most commonly used malicious character substitutions for IDN homographs. However, in regular language expressions, this character has valid uses in Turkish, Kazakhand, and Azerbaijani. These languages treat the dotted & dotless “i” as separate characters in their alphabet, and outright removal would prevent full localization of those languages online.
Donuts recognises that while large brands have resources to enforce trademarks, individuals and brands of all sizes need protection. So Donuts are working to expand homograph security coverage so that brands, individuals, and the rest of our community are better protected from day one.
Donuts plans to roll out comprehensive, sustainable homograph protection by the middle of 2020. This algorithmic blocking product will be applied to all existing and future domain registrations. During the development process, the Donuts compliance team will be working closely with all registrar partners to remove existing malicious homographic registrations in the Donuts name space. Additionally, any attempts to register new malicious homographs in the interim will be identified and resolved in a timely manner.