 Bad address: https://www.аррӏе.com/ Good address: https://www.apple.com/ See the difference? Me neither. The first one is using Cyrillic charset, the 2nd one - regular Latin So, how to avoid getting shagged by the Bad Guys? Not sure about other browsers; in Firefox, you go to about:config, find the network.IDN_show_punycode option and set it to true. From now on, any URLs based on charsets other than Latin will be shown as hex codes. You're welcome. 7 comments
 @silmathoron @xpil it also reduces the usability and visibility of IDN websites to users with an "interface that uses roman alphabet". Why *should* https://žvižgač.si be only shown as https://xn--viga-jua78dc.si/ to them? This effectively makes them less likely to click. In other words, it *punishes* websites for using IDN domains. Not to mention, what does it even mean a "language interface that uses roman alphabet"? It's UTF/unicode mostly anyway. And consider English words like "naïve". @silmathoron @xpil not to mention, it's basically saying "let's protect the English speakers from such scams; we simply can't be bothered to care that these scams also affect speakers of other languages and uses of non-ASCII scripts". Which is... very meh.   @dredmorbius @rysiek @silmathoron @xpil I'm saying not allowing people to use services in their own language and writing method is wrong. |
Gregory's Server
@xpil internationalized domain names (aka. IDNs) are a hugely difficult subject.
On the one hand, yes they enable these kinds of attacks.
On the other hand, speakers of languages using alphabets different than plain ASCII should have the technical ability to use their alphabets and scripts online in full capacity.
There is no good, clear solution, still. Using punycode solves the security angle, but dramatically reduces usability for anyone using non-ASCII script. I.e. most of the world.