Depending on the emoji support in your web browser/ font those two domains look exactly the same.
Some websites force fonts that will make those two look the same.
Keep that in mind while reading the following.
It was a cold evening in January.
I wanted something to do and decided that I should build a small website on a domain that contains the transgender pride flag emoji.
The idea grew out of my wish to grow my portfolio and the fact that I wanted to see how terrible mail applications will handle emoji in domains.
I do have a kind of morbid curiosity about these kinds of things.
So I went on my standard domain provider and found out that searching for emoji domains kind of breaks its web interface.
So far so interesting.. well at least not good.
Apparently not many domain registrars allow the registration of domains that contain emoji, but there is a meta search site that helped me find out that godaddy supports them.
Not really happy about having to manage my domains with different providers now, I still decided that it's worth the hassle and bought 💜 🏳️⚧️.ws.
I thought I had bought 💜 🏳️⚧️.ws, when in reality, godaddy decided to strip the zero width joiner and I actually registered 💜🏳️⚧️.ws without being notified.
The next day I started work on this little project. I went on godaddy to set the DNS record and saw that the site displayed 💜🏳️⚧️.ws.
I dismissed that thinking "well, I guess their font does not support emoji 13, whatever." and started work on a simple static page.
Once that page was deployed, I obviously wanted to check it out but for some reason it took really long to load and when it finally finished I just saw an error message by the .ws registry, stating that the domain is invalid.
Now I started to worry. Did I spend money on an invalid domain name? Are regular characters required in a domain name? Did the registrar scam me and not register the domain?
This was when I decided to put the domain that godaddy displayed into a punycode converter and voila.. it did not match the punycode that matched the domain I actually wanted.
That was frustrating but at least I actually got connected to my server when I entered the new punycode in the url bar.
Sure, it was only a 404 page but that was because my traefik was set up to route the punycode for the domain I wanted. After I changed that everything worked as intended. -Except for the fact that the domain looks ugly.
I mentioned that I also wanted to use this domain to send email, mostly because I was curious about how much it would break email clients. Well, it broke my email server. The web interface errored out when I tried to add the domain.
This was caused by a small error in sanitation code that led to an exception and someone already had developed a fix but I didn't yet test it out.
Time spent learning is never wasted time. Even if what you learned has very little use. At least that's what I believe.
So what did I learn from this whole thing?
If you want to get in touch, write to contact(at)dysphoric.dev.
If you have found a security vulnerability I would be extremely thankful if you could mail me at
I am currently not in a financial situation where I can pay out big bug bounties but I will definitely invite you to a mate or something if we ever meet.