Micah Lee 🔑 is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse.
Micah Lee 🔑 @micahflee

Trying clicking this link, then see how the URL is displayed in your browser xn--80ak6aa92e.com/

· Web · 28 · 25

@micahflee Man, what you're doing here is in no way good for my misanthropy 😖

@micahflee android 7.1.1 latest Firefox

Sensitive content Click to show

@micahflee As of right now, what's the best way to protect ourself against this? (like some browser extension that would catch this and alert you)

@mlcdf I don't know if a defense exists. Some browsers seem vulnerable, others don't

@micahflee Which is the false character? I can't see it and I have tried, trust me.

@Bobo_PK they are displayed identically I believe. Here's more info on how it works xudongz.com/blog/2017/idn-phis

@micahflee Worked on laptop but not on my phone, curious as to what the difference is.

@micahflee I see that and I immediately see that it's not organizationally validated.

But I agree something needs to be done.

But then I'm like "That's why we have organizationally validated certs in the first place!"

Ugh.

@unorigmoniker I _almost_ feel like EV certs are a total scam. If it says "https" and "Secure", no one will ever notice whether it's EV or not

@micahflee You're right and worse, when on mobile some clients don't even distinguish. Not to mention the problems introduced by SSL proxies!

@micahflee firefox, about:config set network.IDN_show_punycode TRUE, and url is not apple.com :)

@micahflee

fwiw, the 'l' is shorter for me at least:

ӏl

(it's the first one.)

@micahflee clicking that link gave me a chill (not the good chills).

@micahflee this is what I get on FF mobile.

Sensitive content Click to show

@micahflee As of yesterday when I tried, Chrome showed it properly but Firefox still displayed the 'wrong' domain. Do you know if they have any plans to fix this?

@micahflee Got the green lock and everything in Chrome. How difficult is it to register a .com/other-common-tld domain name with a punycode? Last I tried, it wasn't easy.

@micahflee I must admit I didn't click out of suspicion, but it was enough to stop the mouse pointer over it and it showed apple.com. As it turns out, yesterday I came across that article about fake URLs...

.@micahflee Firefox with about:config network.IDN_show_punycode;true which I set a few days when I was horrified to discover it wasn't the default.

octodon.social/media/_D4rmuo24

Sensitive content Click to show

@micahflee Edge on Creators Update is showing punycode by default in url bar, but not in cert info: mastodon.cloud/media/fd-XQ7eNf

Sensitive content Click to show

@micahflee You can check on IOS mobile with this open source app, the Certificate chain and properties. Off course, this is not a perennial solution for this problem of certificate. #security tlsinspector.com