• eleijeep@piefed.social
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 day ago

    if you click on it, the link in your browser’s address bar will more likely render properly.

    The default on librewolf (and possibly Firefox?) is to show the punycode in the URL bar since rendering the international characters can be used as a way to create phishing URLs that look similar (and sometimes identical) to characters in the latin alphabet. This is a very dangerous feature since the URL bar of the phishing site can look identical to the real website address.

    To enable the display of the alternate character sets represented by the punycode URLs, you have to set network.IDN_show_punycode to false in about:config.

    • ggtdbz@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      3
      ·
      14 hours ago

      Oh that’s a good point. I have only ever encountered these on Lemmy or similar places where you are clearly clicking a link that starts with “xn——————“ and then seeing how it ties together on my phone’s browser.

      Maybe we shouldn’t be using these. I did find myself looking at domains with emojis in them, weirdly enough for someone who doesn’t use or really like them. But the fact that this extends to basically any Unicode character is an absolute security black hole.

      Unless the standard is extended to have more guardrails/to make it impossible to resolve domains with the most egregious fake characters. Or better, to make characters interchangeable the same way domains aren’t case-sensitive.

      The learning curve for understanding the actual web and its protocols looks more and more insurmountable to me every day lol