In Firefox, it used to show the punycode when clicked on the lock icon. Now I just checked one such domain(https://www.xn--80ak6aa92e.com/) and it didn't show the punycode until I clicked the lock icon > Connection Secure > More Information > View certificate button. I didn't know that the behavior was changed... I would have clicked the lock icon, saw `www.аррӏе.com` and would have believed I was visiting apple.com. I think it should not take more than one click to see the punycode, let alone a couple of clicks and opening a new dialog box.

Google Ads and Play store are impossible to deal with what comes to scams. I contribute to an open source project and we need to have scam support channel in Discord, because scamming is so rampart. Google offers no avenue for any meaningful manual resolution.

https://mobile.twitter.com/moo9000/status/138419716439861658...

https://mobile.twitter.com/moo9000/status/136785214503120896...

In the future, we might have some crypto based web of trust that prevents this.

Every page will be signed by a key and our browser will show the popularity and karma of that key.

The popularity and karma of a key will probably be readable on a blockchain, similar to the account balance of a Bitcoin address.

If one was to download a popular software and then sees the website is not signed by a popular key, they would double check if they are on the right site.

Karma will probably be a customized value. Counting the opinions of my friends over the opinions of my friends friends etc.

User education is the only long-term solution that also retains the freedom to use general purpose computation. Otherwise the market will differentiate into hyper-locked down, curated devices like the iOS but even stricter, and customisable ones targetting tech folk.

In the meantime browsers can include a list of all popular software vendor domains and flag users navigating to similar but different domains. This will not be the first or the last whitelist that browsers include.

This is something that should be possible to detect through certificate transparency logs, right?

The article says that the site has a valid certificate and it should have been possible to detect that domain certificate generation through one of the CT logs? The website hosting company took the domains down in this case but maybe there needs to be a good automated solution which would help most companies report when they did find phishing sites using lookalike domains. Not a trivial problem to solve, I guess.

A quick browser based fix: punycode should be displayed as punycode unless the browser is setup such that the language the charecters belong to is the same language the OS uses.

It is probably already too late to put this in practice, as it is a breaking change, but...

Wouldn't applying Unicode normalization on domains solve this issue? For example, if a site attempts to send me to “ápple.com”, my user-agent would send me to the correct domain. Domains in Japanese, for example, would still work just fine.

Ideally, this would be handled at the DNS spec level (“no two domains shall map to the same normalized form”), but that would be even more “too late” to change.

undefined

Things like this is why i try to block all ads on my machines and my routers. Turned it off a few days ago to debug my new setup and holy batman, its as night and day the different experience of browsing the net with and without adblock.

Punycode should be permanently disabled. No upsides at all.