Emoji domains are horrible!


Emoji domains seems to be next big internet trend, but I think they are a real nightmare, see below. But let me shortly explain, how Emoji domains are working technical. If you type in ✌, or any other "non basic" unicode char, into the address bar of your browser, it converts the unicode into Punycode: ✌.example becomes xn--7bi.example and that's it!

First of all ...

First of all, I SIMPLY CAN'T TYPE IN EMOTICONS ON THE MOST DEVICES! In the best case, I can type in the emoticons on my mobile phone. In the worst case not even there. My LG G4 for example doesn't support the newest Unicode chars (-> new emojis). If someone sends me some new emojis, I only see U+25A1, the magic white Box □, which is often used to represent a missing ideograph. Every time you want to type an emoticon you have to use a special "Emoji-keyboard", which doesn't exist on many devices and no, I don't want to install one. I prefer to be able to type in domain names directly with my normal keyboard. Additionatly, there are many computer programmes, which doesn't support Emoji Domains.

Security aspect of allowing all unicode chars in domains

There is also a security risk: If all you can use all unicode characters in domain names, you can do hijacking. Assume you want to imitate apple.com. You don't want that your victim sees, that he's on a fake site. You can use unicode chars and create the domain applе.com, you are maybe not even able to see it, but it will lead the victim to "xn--appl-y4d.com", where you have placed your phising site. We used the cyrillic letter Ye, U+0435. Chrome and Firefox are trying to prevent this form of attack by showing the punycode in the address bar. Nevertheless, allowing all unicode chars in domains is dangerous.

PS: It seems like nano doesn't support emojis very well ...: nano doesn't place emojis correct.