Micah Lee ๐Ÿ”‘ is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Micah Lee ๐Ÿ”‘ @micahflee

Trying clicking this link, then see how the URL is displayed in your browser xn--80ak6aa92e.com/

ยท Web ยท 27 ยท 24

@micahflee Man, what you're doing here is in no way good for my misanthropy ๐Ÿ˜–

@micahflee As of right now, what's the best way to protect ourself against this? (like some browser extension that would catch this and alert you)

@mlcdf I don't know if a defense exists. Some browsers seem vulnerable, others don't

@micahflee Which is the false character? I can't see it and I have tried, trust me.

@Bobo_PK they are displayed identically I believe. Here's more info on how it works xudongz.com/blog/2017/idn-phis

@micahflee Worked on laptop but not on my phone, curious as to what the difference is.

@micahflee I see that and I immediately see that it's not organizationally validated.

But I agree something needs to be done.

But then I'm like "That's why we have organizationally validated certs in the first place!"


@unorigmoniker I _almost_ feel like EV certs are a total scam. If it says "https" and "Secure", no one will ever notice whether it's EV or not

@micahflee You're right and worse, when on mobile some clients don't even distinguish. Not to mention the problems introduced by SSL proxies!

@micahflee firefox, about:config set network.IDN_show_punycode TRUE, and url is not apple.com :)


fwiw, the 'l' is shorter for me at least:


(it's the first one.)

@micahflee clicking that link gave me a chill (not the good chills).

@micahflee As of yesterday when I tried, Chrome showed it properly but Firefox still displayed the 'wrong' domain. Do you know if they have any plans to fix this?

@micahflee Got the green lock and everything in Chrome. How difficult is it to register a .com/other-common-tld domain name with a punycode? Last I tried, it wasn't easy.

@micahflee I must admit I didn't click out of suspicion, but it was enough to stop the mouse pointer over it and it showed apple.com. As it turns out, yesterday I came across that article about fake URLs...

.@micahflee Firefox with about:config network.IDN_show_punycode;true which I set a few days when I was horrified to discover it wasn't the default.


@micahflee Edge on Creators Update is showing punycode by default in url bar, but not in cert info: mastodon.cloud/media/fd-XQ7eNf

@micahflee You can check on IOS mobile with this open source app, the Certificate chain and properties. Off course, this is not a perennial solution for this problem of certificate. #security tlsinspector.com