How and Why you should disable Internationalized Domains

How well could you spot the difference between apple.com and аpple.com?

They look identical, but to a computer they’re completely different strings of bits, and not equivalent at all. The second domain contains a Cyrillic ‘a’ character, as demonstrated here:

>>> 'a' == 'а'
False

Support for the worlds beautiful diverse languages in modern technology is an absolutely fantastic thing for providing access for people from every corner of the globe to the wealth of information the internet provides.

Unless you only speak english, in which case it’s a security nightmare. A recent harmless prank by a colleague showed that even a room full of security-minded individuals can be pretty quick to deem a site safe when a basic bit of pretexting, an internationalized domain (IDN), and a freshly minted letsencrypt cert are in play.

So, what to do about it? one option is to disallow your system from ever resolving IDNs.

Enter dnscrypt. dnscrypt is a tool that aims to solve one key challenge of name resolution; the fact that your local resolver will often feed you invalid or manipulated results. If you’re using a US-based ISP and have ever mistyped a URL, you’ll possibly know what I’m talking about. Instead of the expected DNS lookup failure, you’re served a horrifically ugly page full of ads and recommendations from you ISP. dnscrypt helps prevent that by signing request/response data between yourself and some resolver out on the internet that you trust more than your local ISP/hotel/cafe network.

Caveat: I have not looked over the dnscrypt code. I think it’s a worthwhile project and do intend to.

dnscrypt comes with a number of nice plugins and features, and the one that’s of particular interest when talking IDNs is the ability to block and log domains specified with wildcards. Even though an IDN may display as عم.عمان in the browser, an underlying algorithm (specified in RFC 3940) converts it back to regular ASCII text in order to do the name resolution. What you end up with after conversion, is a punycode URL such as xn--wkd-8cdx9d7hbd, always prefixed with “xn--” which we can block and log.

Implementing this is really simple:

  1. Follow the regular dnscrypt-proxy installation instructions; on MacOS you can fetch it from homebrew.
  2. Edit /usr/local/etc/dnscrypt-proxy.conf and uncomment the following lines
    • QueryLogFile /tmp/dns-queries.log

    • BlackList domains:“/etc/dnscrypt-blacklist-domains.txt” logfile:“/var/log/dnscrypt-blocked.log”

  3. $ sudo echo “*xn--*” > /etc/dnscrypt-blacklist-domains.txt

Test it out. Tail the /tmp/dnsqueries.log file while browsing the web, and watch DNS queries go out. Then tail /var/log/dnscrypt-blocked.log while hitting an IDN domain, such as

You should see those domains being blocked and will fail to resolve. Most of the sites that use IDN’s will have a regular non-punycode ASCII domain as well, so don’t worry about not being able to get to all of the internets best international cat pictures.

Teardown: E-Mods RS-1 handheld game

I recently bought a cheap NES-knockoff handheld off Amazon for $15.99 to tinker with, pull apart, and eventually reverse the flash image.

The initial teardown showed an unsurprisingly simple collection of components; amongst a small handful of SMT caps & resistors and switches of a few varieties is the LCD screen, an audio chip, an epoxy blob hiding the main processor, and finally a flash 128 Mbit flash chip.

OLYMPUS DIGITAL CAMERA
The glorious E-mods RS-1
OLYMPUS DIGITAL CAMERA
Case open, +ve wire already snapped off at solder joint
OLYMPUS DIGITAL CAMERA
Front side showing LCD
OLYMPUS DIGITAL CAMERA
The fun bits – 56 pin TSOP Flash & the main processor
flashchip
The 128GBit NOR flash chip

The datasheet for the flash chip is here

In order to see what I might be up against trying to sit a logic analyzer on the flash data bus, I had a poke with my scope and saw the string of obvious initial boot reads followed by periodic read/writes at the menu screen.

DS1Z_QuickPrint3
Chip Enable line on the flash chip

Taking a closer look at the signal, it all seems fairly slow with nothing over 500kHz, easily sniffable even with a low-end logic analyzer.

DS1Z_QuickPrint1
Access to the flash chip was relatively slow

The next step will be to pull the flash chip and dump the contents.