A user on trashserver.net just created an account with the ID "admin@trashserver.net" by using a cyrillic "a" instead of a latin "a". For the server there's two different user names, but for the XMPP users there seems to be only one "admin". They cannot distinguish between the latin and the cyrillic "a" on their displays. Also see: https://www.xudongz.com/blog/2017/idn-phishing/ Prosody should prevent such unicode attacks on registration.

Thanks for the suggestion. This topic is covered by https://www.unicode.org/reports/tr36/ and http://www.unicode.org/reports/tr39/ Work on this was actually started long ago by Florob, but it was never merged for some reason. The main difficulty is the library situation. By default Prosody uses the GNU libidn library for Unicode related operations and it doesn't provide anything for confusables. It does not help that it is deprecated in favor of libidn2 which does provides even fewer features. Also see #533

• tags Status-New Priority-High Status-Accepted Priority-Medium

Note that this has been a known issue in XMPP for years, no point in hiding it.

• tags Hidden

• tags Milestone-0.12 Status-Started
• owner Zash

Fixed in https://hg.prosody.im/trunk/rev/73a447249fe4 :: 9cb639ef5c72 Currently only available if Prosody is built with ICU, which is not the default.

• tags Status-Fixed