Welcome to today’s 10,000. Today’s episode is about Punycode. It’s basically a standardized way of putting unusual characters in a domain name.
The way the link is shown in your interface/client, it’s giving you the encoded version that looks nonsensical. But if you click on it, the link in your browser’s address bar will more likely render properly.
I’ve seen this done with URLs that contain emojis, this one contains katakana (?) characters.
if you click on it, the link in your browser’s address bar will more likely render properly.
The default on librewolf (and possibly Firefox?) is to show the punycode in the URL bar since rendering the international characters can be used as a way to create phishing URLs that look similar (and sometimes identical) to characters in the latin alphabet. This is a very dangerous feature since the URL bar of the phishing site can look identical to the real website address.
To enable the display of the alternate character sets represented by the punycode URLs, you have to set network.IDN_show_punycode to false in about:config.
Oh that’s a good point. I have only ever encountered these on Lemmy or similar places where you are clearly clicking a link that starts with “xn——————“ and then seeing how it ties together on my phone’s browser.
Maybe we shouldn’t be using these. I did find myself looking at domains with emojis in them, weirdly enough for someone who doesn’t use or really like them. But the fact that this extends to basically any Unicode character is an absolute security black hole.
Unless the standard is extended to have more guardrails/to make it impossible to resolve domains with the most egregious fake characters. Or better, to make characters interchangeable the same way domains aren’t case-sensitive.
The learning curve for understanding the actual web and its protocols looks more and more insurmountable to me every day lol
(I’m guessing you deliberately avoided it since the person you’re responding to would also refuse to click that but I think it’s an interesting read for anyone who hasn’t seen it)
Welcome to today’s 10,000. Today’s episode is about Punycode. It’s basically a standardized way of putting unusual characters in a domain name.
The way the link is shown in your interface/client, it’s giving you the encoded version that looks nonsensical. But if you click on it, the link in your browser’s address bar will more likely render properly.
I’ve seen this done with URLs that contain emojis, this one contains katakana (?) characters.
The default on librewolf (and possibly Firefox?) is to show the punycode in the URL bar since rendering the international characters can be used as a way to create phishing URLs that look similar (and sometimes identical) to characters in the latin alphabet. This is a very dangerous feature since the URL bar of the phishing site can look identical to the real website address.
To enable the display of the alternate character sets represented by the punycode URLs, you have to set
network.IDN_show_punycodeto false inabout:config.Oh that’s a good point. I have only ever encountered these on Lemmy or similar places where you are clearly clicking a link that starts with “xn——————“ and then seeing how it ties together on my phone’s browser.
Maybe we shouldn’t be using these. I did find myself looking at domains with emojis in them, weirdly enough for someone who doesn’t use or really like them. But the fact that this extends to basically any Unicode character is an absolute security black hole.
Unless the standard is extended to have more guardrails/to make it impossible to resolve domains with the most egregious fake characters. Or better, to make characters interchangeable the same way domains aren’t case-sensitive.
The learning curve for understanding the actual web and its protocols looks more and more insurmountable to me every day lol
indeed, katakana. the actual website name is “マリウス”, which I’m guessing means “Marius”.
@ggtdbz @Hello_there The author actually has a post on this, too: https://マリウス.com/never-click-on-a-link-that-looks-like-that/
(I’m guessing you deliberately avoided it since the person you’re responding to would also refuse to click that but I think it’s an interesting read for anyone who hasn’t seen it)