[enhancement]: Mitigate homograph attacks from human-interpreted strings #507
Description
Background
As a taproot-assets user I want to only need to visually inspect an asset name in order to confirm that a bootstrapped asset has the name I believe it should have
As a taproot-assets asset issuer I want to ensure that my asset name cannot be confused with visually indistinguishable asset names in order to preserve my asset's name recognition and deny fraud
Given that many unicode glyphs appear visually indistinguishable from each other but map to different code points, there is a potential attack vector against humans visually comparing asset names in which an attacker could attempt to defraud a user by using two homoglyphs. Domain names call this the IDN homograph attack
Mitigation options
- Enforce ASCII-only names. Upside: simple Downside: Excludes non-English language asset names
- Use Punycode or equivalent to excluding homographs and enforce those in tapd
- Allow Homographs but add a visual fingerprint (for the homograph attackable fields) for users to easily detect naming mismatches
Strings sensitive homograph attacks:
- Asset names
- Universe servers
- TODO: enumerate more areas