10 comments

[ 3.9 ms ] story [ 34.8 ms ] thread
Fortunately I know the form of a URL (anyone who uses them ought to know, and if you don't know, then you must learn), and I use a fixed pitch font on the status bar and location bar. I also fixed it to display only ASCII characters in the location bar, so that homoglyph attacks are also avoided.
Most modern browsers are designed to prevent IDN homoglyph attacks by using Punycode: https://en.wikipedia.org/wiki/Punycode

This shouldn't be much of a concern these days.

In the domain name, yes it uses Punycode, and I have configured it to display the ASCII domain name rather than the Unicode characters; this is an option in the browser. However, there is also the file name, which there seems no option to configure, so I used userChrome.js to change it so that it always displays ASCII for the entire URL and not only the domain name.
Could use a countdown clock. This isn’t so challenging if you tahs your time with it.
Anyone else having this issue with the display https://i.imgur.com/Bk2Gzee.png

Edit: figured it out, it seems the font size is based off of the Window size (which doesn't make any sense) and scales faster than the box scales. Works best if you make your browser window phone width.

The problem with this is that when you do it, you're actively looking for lookalike domains. The challenge is when an email or link otherwise seems very legitimate, so you have your guard down.
yes. very much this! it's harder to spot a fake domain when subdomains and browser shenanigans are involved when writing an email for example than when a game called "spot the fake" is played.
I was expecting this to be harder as well. With swapped unicode letters. Maybe you should make them different levels, 1 = easy like you had, 2 = with upside down letters, 3 = greek letter replacement (unicode swapping)