Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Punycode URL Security

Introduction to Punycode

The Domain Name System (DNS) used on the internet today to resolve domain names to IP addresses only allows for 7-bit ASCII characters - specifically, a-z, A-Z, 0-9, and hyphen (-). This is not sufficient for presenting internationalized domain names (IDNs) that require the use of double-byte character sets such as Unicode. To address this, Punycode encoding was developed to encode Unicode domain names ("U-labels") into valid ASCII-based DNS names that only use letters, digits and hyphens ("A-lables").  This topic describes how the Punycode URLs are managed within Skyhigh Cloud SWG. Encoded A-labels are easily identified as they begin with "xn--".  So, for example, the U-label "bücher.de" will be encoded as the A-label "xn--bcher-kva.de".

Handling of Punycode URLs

The Skyhigh Cloud SWG will, by default, decode Punycode URLs and will work with the decoded Unicode characters. Therefore, when  you create rules using SmartMatch lists, you can directly enter the Unicode U-labels into the SmartMatch list. The Skyhigh Cloud SWG will decode Punycode and identify those URLs successfully. Likewise, if you use Policy Code functions such as MWG.domain, it will return the decoded U-label with Unicode characters.

However, if you need to work directly with the Punycode-encoded A-label and view the actual ASCII DNS name that is being requested, the Policy Code function MWG.Raw will return the encoded URL as requested by the browser. Alternatively, if you're using the Web Policy Builder, then the URL as string in raw format property can be used in your rule criteria to evaluate the encoded A-label. Here is the output of a few URL handling functions when visiting the site https://bücher.de:

MWG.Url.Raw --> "https://www.xn--bcher-kva.de"
MWG.Url.Host --> "www.bücher.de"
MWG.Url.Domain --> "bücher.de"
MWG.Url.SmartMatch("bücher.de") --> TRUE

Punycode Phishing Policy

Risk of Phishing with Punycode

A significant risk associated with Punycode URLs is the possibility that they will be used in phishing attacks. Many Unicode characters can be easily confused with similar-looking ASCII characters. In some fonts, these characters can be indistinguishable from some ASCII characters.  Here are a few examples:

Unicode Character ASCII character(s)
𝟮 2
8.
𝚋 b
ix

These confusable characters can be used by attackers to deceive users into following URLs that resemble trusted domains but are actually registered by the attackers themselves. It's important to note that Punycode URLs are not inherently dangerous; however, they can be exploited by attackers to create confusion among users.

Punycode Phishing Policy in Ruleset Library

Skyhigh Security provides a prebuilt policy in the Skyhigh Cloud SWG's ruleset library that is designed to mitigate the risk of phishing attacks using Punycode URLs.

How it Works

This prebuilt policy follows a simple, two-step process to reduce the risk of Punycode phishing attacks:

  1. Replace confusable characters - Using unicode.org's published mapping of confusable characters, all confusable Unicode characters are replaced by the ASCII character(s) with which the may be confused. Once this is complete, the result should be a URL that the user might think they are clicking.
  2. Check resulting URL against likely spoofing targets - The resulting URL is compared against a list of the 500 most common websites to determine whether the it could be an attempt to spoof a common site. If a match is found, then the request is blocked.

Configure Punycode Phishing policy

Follow these steps to add and configure the prebuilt policy to your Web Policy:

  1. Login to Skyhigh Security Cloud, and go to Policy -> Web Policy -> Policy.
  2. Select the ruleset in the policy tree on the left into which you want to add the Punycode Phishing policy.
  3. Click the three dots on the ruleset and select Add New Ruleset from Library.
  4. Under the Web Filtering category, select the Punycode Phishing policy, and then click Add.
  5. If you want to review and/or edit the list of confusable characters, click the blue Confusable Character Map link.  This will take you to the List Catalog where the list can be viewed and/or modified.
  6. If you want to add likely spoofing targets that are specific to your organization or industry, then click the blue Likely Spoofing Targets link to be taken to the List Catalog to modify the list.
  7. Click the shield icon on the top-right corner of the page and then click Publish.
  • Was this article helpful?