dysphoric.dev


Emoji domains - A cautionary tale

Posted: 2021-01-19 16:45:48 |
Last update: 2021-03-19 22:03:28

The story of how 💜 🏳️‍⚧️.ws ended up being 💜🏳️⚧️.ws

Depending on the emoji support in your web browser/ font those two domains look exactly the same.
Some websites force fonts that will make those two look the same.
Keep that in mind while reading the following.

It was a cold evening in January.
I wanted something to do and decided that I should build a small website on a domain that contains the transgender pride flag emoji.
The idea grew out of my wish to grow my portfolio and the fact that I wanted to see how terrible mail applications will handle emoji in domains.
I do have a kind of morbid curiosity about these kinds of things.

So I went on my standard domain provider and found out that searching for emoji domains kind of breaks its web interface.
So far so interesting.. well at least not good.
Apparently not many domain registrars allow the registration of domains that contain emoji, but there is a meta search site that helped me find out that godaddy supports them.

Not really happy about having to manage my domains with different providers now, I still decided that it's worth the hassle and bought 💜 🏳️‍⚧️.ws.
I thought I had bought 💜 🏳️‍⚧️.ws, when in reality, godaddy decided to strip the zero width joiner and I actually registered 💜🏳️⚧️.ws without being notified.

The next day I started work on this little project. I went on godaddy to set the DNS record and saw that the site displayed 💜🏳️⚧️.ws.
I dismissed that thinking "well, I guess their font does not support emoji 13, whatever." and started work on a simple static page.

Once that page was deployed, I obviously wanted to check it out but for some reason it took really long to load and when it finally finished I just saw an error message by the .ws registry, stating that the domain is invalid.
Now I started to worry. Did I spend money on an invalid domain name? Are regular characters required in a domain name? Did the registrar scam me and not register the domain?

This was when I decided to put the domain that godaddy displayed into a punycode converter and voila.. it did not match the punycode that matched the domain I actually wanted.
That was frustrating but at least I actually got connected to my server when I entered the new punycode in the url bar.
Sure, it was only a 404 page but that was because my traefik was set up to route the punycode for the domain I wanted. After I changed that everything worked as intended. -Except for the fact that the domain looks ugly.

Emoji email?

I mentioned that I also wanted to use this domain to send email, mostly because I was curious about how much it would break email clients. Well, it broke my email server. The web interface errored out when I tried to add the domain.

This was caused by a small error in sanitation code that led to an exception and someone already had developed a fix but I didn't yet test it out.

Lessons learned?

Time spent learning is never wasted time. Even if what you learned has very little use. At least that's what I believe.
So what did I learn from this whole thing?

  • Punycode breaks even more things than what I had thought
  • Zero width joiners make everything more complicated
  • If you want to use it productively, it's probably just not worth the hassle
  • Always double check what domains you are buying
  • Safari on iOS applies CSS background rules to flags, making them indistinguishable.

Here's a working link to the site I built, feel free to check out the site's code on GitHub, although it is not very interesting and the repository name is the wrong punycode..


Recent Posts


Tags

36c3 accessibility blog CLT creepypasta emoji Fediverse frontend gaming hardware joke Mastodon meta minimal viable products opinion personal rC3 SEO tech Twitter web design work

Info

All cookies this website uses are essential to deliver intended functionality.
The only connection to a third party website is done to download a markdown parser from unpkg, which you probably will not even see if you don't snoop around pages that you don't have access to.
No analytics services are used on this website.
There are no adverts on this website.

Contact

If you want to get in touch, write to contact(at)dysphoric.dev.

If you have found a security vulnerability I would be extremely thankful if you could mail me at security(at)dysphoric.dev.
I am currently not in a financial situation where I can pay out big bug bounties but I will definitely invite you to a mate or something if we ever meet.


Feed

This blog also has an RSS feed.