Browsers should not support Unicode in the address bar
I've now seen my first phishing site that has:
1. Identical url as the real website. 2. Valid ssl certificate. You only figure out that it's not the real site if you navigate into the certificate and check the domain name in the technical details. No casual user does that and no user should be expected to do this.
This is serious, browsers should not support unicode in the address bar. It's going to be impossible to detect fake url's just by looking at the url, there is bound to be a unicode character that looks like a regular ascii character but isnt. Then the scammer can just replace it in the url and make anybody believe that you are on a real site.
Here is a picture of the problem: https://imgur.com/a/LZFfN
10 comments
[ 3.3 ms ] story [ 36.4 ms ] threadBut indeed, there's no reason we need unicode in the hostname/any domain names.
Besides, it's too late. There are already non-Latin TLDs out there - in part to support languages with non-Latin alphabets.
The URL is not even visually identical due to the dot underneath the letter `d`. Seems to be this unicode character [0]. After the apple.com [1] example of this problem Chrome patched it. The apple.com "spoof" is now xn--80ak6aa92e.com in Chrome.
[0] http://www.fileformat.info/info/unicode/char/1e0d/index.htm
[1] https://www.theguardian.com/technology/2017/apr/19/phishing-...
Compare él to el in Spanish one means he (iirc) the other means “the” - he-man.com and the-man.com are probably going to be different.