Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammers Abuse Multilingual Domain Names (bbc.com)

Posted by msmash on from the beware dept.

Cyber-criminals are abusing multilingual character sets to trick people into visiting phishing websites. BBC: The non-English characters allow scammers to create "lookalike" sites with domain names almost indistinguishable from legitimate ones. Farsight Security found scam sites posing as banks, loan advisers and children's brands Lego and Haribo. Smartphone users are at greater risk as small screens make lookalikes even harder to spot. The Farsight Security report looked at more than 100 million domain names that use non-English character sets -- introduced to make the net more familiar and usable for non-English speaking nations -- and found about 27% of them had been created by scammers. It also uncovered more than 8,000 separate characters that could be abused to confuse people.

Farsight founder Paul Vixie, who wrote much of the software underpinning the net's domain names told the BBC: "Any lower case letter can be represented by as many as 40 different variations."

71 of 129 comments (clear)

  1. Farsight Security by omnichad · · Score: 4, Funny

    small screens make lookalikes even harder to spot....Farsight Security

    Yes, this does sound like a job better suited for Nearsight.

    1. Re:Farsight Security by Anonymous Coward · · Score: 1

      Hindsight?

    2. Re:Farsight Security by BronsCon · · Score: 4, Insightful

      Look more closely...

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    3. Re:Farsight Security by Zontar+The+Mindless · · Score: 1

      Why is some AC being taken in by a poseur?

      ProTip/1: If you see *two* UIDs next to someone's name, it's a pretty good bet that one of them is fake.

      ProTip/2: If you don't see a /. icon next to the poster's name, the poster is not a Slashdot employee.

      Also, one can easily determine that the real BeauHD's UID is 4450103.

      --
      Il n'y a pas de Planet B.
    4. Re:Farsight Security by Zaiff+Urgulbunger · · Score: 1

      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.

      Off-topic I know, but what does "APK" stand for?

    5. Re:Farsight Security by Zaiff+Urgulbunger · · Score: 1

      Cheers!!! :D

  2. Unicode is a mess by Anonymous Coward · · Score: 5, Insightful

    Saw this coming years ago. Unicode assignment is a god awful mess, made worst now that nearly every single noun has an emoji version. Pity that we're probably stuck with it until the end of humanity.

    1. Re:Unicode is a mess by ShanghaiBill · · Score: 4, Interesting

      Saw this coming years ago.

      Indeed. The security ramifications were immediately pointed out by many people as soon as this idiotic proposal was made. But it went forward anyway so they could sell new domain names, and force legitimate companies to spend even more to buy up every possible permutation of their names.

      The only good solution now is for browsers to block these domains, or at least throw up a flashing SCAM warning whenever one is accessed.

    2. Re:Unicode is a mess by Anonymous Coward · · Score: 4, Interesting

      Somehow I get the feeling that unicode isn't the real problem.

      It seems oddly specific to allow companies to register their name as a domain but only if their name consists of a very limited number of characters.
      Even if we get rid of unicode we still have the problem with sans-serif fonts.
      slashdot.org and sIashdot.org can be hard to tell apart.
      If your response is that you can choose to use a serif font then you can also choose to use a font that shows unicode as boxes or use a browser that warns you when going to a domain that has odd letter in the name.

      One way to reduce the problem could have been to not have *.com or *.org addresses at all. Let everyone register their domains under whatever country they belong to. That way you can choose to not trust *.su addresses.

      The underlying problem seems to be that we put our trust in a name.
      Even without intentional name collisions for the purpose of scamming we still get unintentional name collisions with organizations that have the same name but in completely different fields. (Or similar fields but different regions.)

    3. Re:Unicode is a mess by Calydor · · Score: 1

      Which means the browser makers need to constantly check for new permutations, otherwise they'll be throwing up so many SCAM warnings whenever you access a localized URL that people stop caring about the warnings, much how it happened with UAC.

      How is the browser supposed to know that when you go to bank.corn you actually do mean BANK.CORN and not BANK.COM?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    4. Re:Unicode is a mess by Calydor · · Score: 5, Informative

      slashdot.org and sIashdot.org can be hard to tell apart.

      I actually had to copy that into Notepad to see what you did. Well played.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    5. Re:Unicode is a mess by AmiMoJo · · Score: 1

      Most of the world doesn't speak English. It's unreasonable to expect them not to have domain names in their own language.

      The solution should be really simple. Just flag up when a domain name contains characters that are not in the user's selected language. The problem is that Unicode makes that rather difficult, because it's badly designed. It's possible, just unnecessarily hard.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Unicode is a mess by houghi · · Score: 2

      Probably because it was known years ago. Just look at U+0391 U+0410 and U+0041. Or at U+0430 and U+0061 and if you find a word that would use such a letter, you can make serious bÐnk.

      (Luckily it does not work on /.)

      --
      Don't fight for your country, if your country does not fight for you.
    7. Re:Unicode is a mess by OneHundredAndTen · · Score: 1

      Even if we get rid of unicode we still have the problem with sans-serif fonts. slashdot.org and sIashdot.org can be hard to tell apart.

      That's an understatement. Without a microscope, in this font 'l' (lowercase L) and 'I' (uppercase i) are indistinguishable.

    8. Re:Unicode is a mess by laurencetux · · Score: 1

      or maybe flag the address if it has a mix of latin and non latin characters in the domain??

      possible text of warning "Please be advised that this address contains abnormal characters for your region please verify the spelling. [insert did you mean "%domain with all latin characters%" ??]

    9. Re:Unicode is a mess by Megol · · Score: 1

      Can't but agree. The emoji crap is just the flashing neon sign over the failed wreck.

    10. Re:Unicode is a mess by Megol · · Score: 1

      That is a bad solution in the first place just giving false positives. Why should a Russian be warned when accessing slashdot for instance?

      The "no mixed scripts in a word" design suggested earlier in this sub-thread would cover most problems. Not allowing scammers to register obvious scam sites would fix most others.

    11. Re:Unicode is a mess by RockDoctor · · Score: 1

      Let everyone register their domains under whatever country they belong to.

      Why are you assuming that people have one country? My wife and I cover three nationalities and citizenships, and stepping out one degree of relationship further, the family covers five nationalities. I work in 7 countries on a regular basis, three of which would justify me using a .EU domain in addition to the national ones and, of course, .INT

      And I have an email address in goatse.cx - Christmas Island, in the Indian Ocean. Which I have at least swum in.

      If you're an American (always a good guess when this sort of parochialism is spouted), then I take it all your domains are in .US

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  3. Don't be stupid. by Anonymous Coward · · Score: 4, Insightful

    Safe use of the Internet requires digital "street smarts."

    One should not need to be told that it is unsafe to click links in emails, or that virus scanners don't alert you via popups on a web page. Understanding of the basics of how these things work make it obvious, and make safe browsing practices just as obvious.

    The industry has bent over backwards to grant access to swarms of people too stupid to be safe online.

    So, the scammers take them for all they are worth.

    Personally, I consider stupidity to be a vice (and largely a choice), so I don't have much sympathy for people who fall for this sort of thing.

    1. Re:Don't be stupid. by AvitarX · · Score: 2

      What really frustrates me is that my bank uses "secure" messages.

      It requires me to download an HTML file, open it, and then login to a not my bank website.

      Except, my bank has a message system right in their main website (I assume the loans are actually written by a different company). So every customer that applies for a loan is being taught bad email behavior, and using a less secure system (my bank makes efforts to make sure I know it's them (click on the correct image of a few shown to login, if the correct one isn't shown, I know it's not my bank).

      Basically, the "secure" messages are less secure, and run the risk of teaching bad security in general.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    2. Re: Don't be stupid. by Bing+Tsher+E · · Score: 1

      I refuse to do any banking over the Internet. If I need to know a balance I go to an ATM or a real human teller. I get printed statements every month in the mail.

      Anybody can refuse web banking. It's not difficult.

    3. Re:Don't be stupid. by pD-brane · · Score: 1

      One should not need to be told that it is unsafe to click links in emails, or that virus scanners don't alert you via popups on a web page. Understanding of the basics of how these things work make it obvious, and make safe browsing practices just as obvious.

      Not always as obvious. If some company you are connected to, also those who should be concerned with security, sends a text/plain e-mail with a URL for you to copy and paste, it should be fine, right? But how can I be sure that not some employer of the company has copied a look-alike phishing URL from Twitter or wherever into the e-mail?

      I agree that almost all kinds of scams are easy to be detected by anyone with "digital street smarts", but in some cases, like Unicode URLs from the article, it is not obvious how to be secure.

      Of course companies send text/html, but anyways...

    4. Re:Don't be stupid. by OneHundredAndTen · · Score: 1

      Many scams involve not only stupidity on the scammee's side, but also greed and dishonesty. The classical Nigerian scam is a good example - to fall for it you have to stupid, greedy and dishonest, all at the same time. It amazes me that so many who fall for that kind of scam are not utterly embarrassed to report it to the police. Well, I seem to recall that main characteristic of Jordan Belfort, the so-called Wolf of Wall Street, is his complete and absolute lack of shame.

    5. Re: Don't be stupid. by AvitarX · · Score: 1

      True, I could use faxes instead of email, or snail mail.

      Or pay extra interest and not shop around as much on a mortgage.

      I'm unconvinced that faxes through a third party (that I'm sure go to the banks email system) or snail mail are more secure than my bank account's website, it's not like identity theft from mail has never happened.

      I'm pretty content with my bank's security, it's the separate website that I don't even think is them that requires downloading an HTML file for secure messages that frustrates me.

      No anti fishing, and enforces the behavior of downloading and opening attachments in emails.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    6. Re:Don't be stupid. by tlhIngan · · Score: 1

      It amazes me that so many who fall for that kind of scam are not utterly embarrassed to report it to the police

      Most of the scammed ARE embarrassed to go to the police, actually. For every one you hear in the news, there are probably dozens of people who simply walked away after losing thousands of dollars in one of the many scams.

      Heck, some of them who go to the police make up a story to go along with it. Just last week, a woman claimed to receive a call from the CRA (Canada Revenue Agency, aka the Canadian IRS) who then had fake police "arrest" her and force her to withdraw money.

      Yes, people fall for the tax scam all the time. It'a annoying enough to receive the calls almost daily at times. Though this time, they used Bitcoin instead of iTunes cards (or other gift card) - perhaps because large iTunes card purchases are flagged by most retailers - there is very few legitimate reasons to buy 100 $50 iTunes cards so most retailers will ask if they're paying a tax bill or something.

      Chances are, the public is going to be so reinforced into "the taxman does not accept gift cards and Bitcoin" that any mention of Bitcoin will trigger scam alerts. (And I found out there's apparently a bitcoin "ATM" near me).

      The scammed people are too embarrassed most of the time to admit they've been scammed. Usually because they usually believe they can't be scammed. The only way to be sure is to take two life lessons to heart - first, nothing is easy in life - so if someone promises a lot of money to you quickly, it's a scam, and two - question everything.

      My mom was the best at it - she literally would question everything - she'd get a scam email and delete it. If she wasn't sure, she'd ask me and we'd talk about it. At which point she'd realize it was still a scam - either some tell tale sign she missed, or if we weren't sure, we'd assume it was a scam. Any important business is never done through just email - your bank, a government agency, etc., they'd send letters or call you in addition to email. I think out of this only once did we treat something as a scam that wasn't, which happened because they sent a letter the next day.

    7. Re: Don't be stupid. by vlueboy · · Score: 1

      I refuse to do any banking over the Internet. If I need to know a balance I go to an ATM or a real human teller. I get printed statements every month in the mail.

      Anybody can refuse web banking. It's not difficult.

      Not sure if you include "credit card payments" here but it's becoming impossible to use the internet without a credit card and an email address. Trusting trust --if you want to have some kind of paypal account then you need to provide a credit card (or a bank account IIRC --and there's no offline way of populating that, so you're effectively doing banking by proxy)

      But I digress. The reason I replied was to remind you that no matter what you do, your information will be leaked --if it's not YOU, it will be one of the companies you choose to use... But it doesn't stop there --if you live in the US, a coinflip chance determines whether scammers already got your information last year. So in a crowded stadium, one in two is a considerable amount to leave to random chance... half of the people you see are statistically likely to be one of those 150 million people out of 300 million total population attacked by the Equifax hack. Even if you never walk thru their corporate headquarters doors --you have no choice. Funny, I put the wrong name in a websearch and saw news that Experian (the other non-optional credit union out of now 4 standard bodies) also got hacked, though that one went under my radar -- https://www.theguardian.com/bu...

      That one was "only" 15 million marks. Sad to think that something that large is discounted to the point of never being mentioned during Equifax's raking over the coals last year, just because it reduces the stadium illustration from 50% to a 10% of those 50% odds, which is still a respectable 1 in 20 people in that stadium instead of 1 in 2.

      We are in deep trouble. If someone got your social security number and you keep it for life with no exceptions, then it's game over --we just don't know when or how we're going to get the surprise once the credit union hackers start trickling the data to high-payers. Worse yet, even legit companies share our data with impudence. It's only a matter of time before "private" data from that breach ends up tainting muddy sources like those gossipy involuntary aggregation | blackmail sites of the likes of Spokeo Inc.

  4. Unicode doesn't belong in a URL... by ELCouz · · Score: 3, Insightful

    Seriously...what they where thinking?!?!

    1. Re:Unicode doesn't belong in a URL... by darkain · · Score: 5, Insightful

      They were thinking that not the entire world is English speaking.

    2. Re: Unicode doesn't belong in a URL... by ELCouz · · Score: 1

      People got along just fine with ASCII back in the days. Unicode is asking for trouble in a URL.

    3. Re:Unicode doesn't belong in a URL... by Zontar+The+Mindless · · Score: 1

      Company names are generally transliterated: Hyundai, Samsung, Toyota, ...

      You provide additional evidence that you really don't know much about languages or writing systems, but I need to get some work done today, so I'll leave spotting those to the interested and discerning reader.

      --
      Il n'y a pas de Planet B.
    4. Re: Unicode doesn't belong in a URL... by thegarbz · · Score: 1

      People got along just fine with ASCII back in the days.

      Yeah. I look around at American English speakers and see that ASCII was just fine, so what was the problem?

      Yes I am mocking your ignorance. People did NOT get along just fine in the ASCII days. Simply using a computer was an incredibly painful event for those not using the Latin alphabet. Hell it was a problem for those using derivations of the Latin alphabet that weren't uniquely English.

    5. Re:Unicode doesn't belong in a URL... by AmiMoJo · · Score: 1

      And that domain names should not be used for authentication. If you want microsoft.com you don't visually inspect the address bar, you validate the certificate with a trusted issuer.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re: Unicode doesn't belong in a URL... by houghi · · Score: 1

      People got along just fine before the USofA existed and before English was even spoken as well. So what is your point?

      --
      Don't fight for your country, if your country does not fight for you.
    7. Re: Unicode doesn't belong in a URL... by ELCouz · · Score: 1

      You are aware I am talking about the URL and not the page text ....right? If you could get off your high horse once in a while you would see using unicode / punycodes in a URL are a mess. I use latin characters the time.

    8. Re: Unicode doesn't belong in a URL... by ELCouz · · Score: 1

      If you can't read my OP title and reply accordingly. You are a truly retarded troll. Internet was invented with ASCII in mind.

    9. Re: Unicode doesn't belong in a URL... by nukenerd · · Score: 1

      People got along just fine before the USofA existed and before English was even spoken as well. So what is your point?

      So we should adopt Nordic runes Egyptian hieroglyphs then? The point is that we need to adopt some character set for URLs and the Latin character set is the best candidate - better than Unicode. As someone else said, we are talking about the name of the URL, not the content of the page. I'm fine with eg Japanese readers reading Japanese literature in Japanese characters.

      But you will find that Japanese who are using the Web are quite capable of recognising Latin characters well enough to recognise an URL they are looking for. Otherwise, I'd be quite happy if eg the Japanese went off and created their own internet with their own character set (ie their particular sub-set of Unicode) throughout; the Western Internet could still be accessible to them and theirs to the West, but you would know where you were and there could be no Unicode trickery with the URL.

    10. Re: Unicode doesn't belong in a URL... by DontBeAMoran · · Score: 1

      Ook ook grok tok!

      --
      #DeleteFacebook
    11. Re:Unicode doesn't belong in a URL... by DontBeAMoran · · Score: 1

      Also, requiring ASCII doesn't prevent scammers. slashdot.org and sIashdot.org are both in ASCII character only.

      Let's return to ASCII-only URLs and have the browsers display the subdomain, domain name and the TLD in uppercase and have them use a constant font across all platforms that makes it impossible to mistake an uppercase letter "O" with the number "0" (zero).

      --
      #DeleteFacebook
    12. Re:Unicode doesn't belong in a URL... by DontBeAMoran · · Score: 1

      But would anyone be able to get a certificate with a look-alike domain name signed to the name "Microsoft Corp." or similar?

      --
      #DeleteFacebook
    13. Re:Unicode doesn't belong in a URL... by ahodgson · · Score: 1

      Anyone can get a cert issued to whoever they want as long as they control the domain (web serving, DNS or email).

      Extended validation certs not so much. But I would think a scammer could get an EV cert issued to something that looks convincingly similar, too.

    14. Re:Unicode doesn't belong in a URL... by Megol · · Score: 1

      Most of the world doesn't speak English, why do you think something that was international from the beginning (the web - not ARPANET) should be limited to English?

      Idiotic crap.

    15. Re: Unicode doesn't belong in a URL... by thegarbz · · Score: 1

      Indeed. Now feel free to translate all the companies you know into a foreign language you can't understand and into a keyboard with which you're not used to typing.

      Just because you're talking about a subset of computing doesn't make it any less of a distinction without a difference.

    16. Re:Unicode doesn't belong in a URL... by ELCouz · · Score: 1

      No sure if sarcastic but I think this could be great idea if there was an uniformity between desktop & mobile browsers. W3C could manage the standard.

    17. Re:Unicode doesn't belong in a URL... by ConceptJunkie · · Score: 1

      Transliteration is fine, but I can't find Peking or Bombay on a map any more!

      --
      You are in a maze of twisty little passages, all alike.
  5. Re:and the old is new again ... by AHuxley · · Score: 1

    That O looks like 0 depending on the font?
    That 1 looks like I ?

    --
    Domestic spying is now "Benign Information Gathering"
  6. why is there not a setting. by Anonymous Coward · · Score: 2, Interesting

    Browsers should have you choose a language and not allow sites in other languages (in the url) by default. You go in somewhere and say allow everything or populate a list of acceptable languages. It should at least give a popup.

  7. It's not unicode - DNS uses punycode by FeelGood314 · · Score: 5, Informative

    DNS entries are ASCII. Punycode is a way to put unicode in ASCII in a way that is sort of mostly human readable. For an English speaker (AKA ASCII character users) always set your browser to display the raw punycode and not the unicode points. For the less technical but still English speaking you should be fine as long as you only visit sites with HTTPS. No reputable CA should be signing EV certs with punycode that looks like English words. Ones that do will quickly be removed from the browsers.

    For the non-English, you're f#@ked. Seriously. This was a good awful idea. We are going to return to an English only internet because everything else will be untrustable.

    1. Re:It's not unicode - DNS uses punycode by Anonymous Coward · · Score: 1

      Parent link will help you know if you need to change your punycode setting.

      Firefox users: If your mouse-over shows the look of disapproval emoticon, then can go to your about:config and change network.IDN_show_punycode to true .

      p.s. Sorry Chrome users, I don't know what you need to do. Maybe someone else can post the answer for Chrome?

    2. Re:It's not unicode - DNS uses punycode by dargaud · · Score: 1

      always set your browser to display the raw punycode and not the unicode points

      Is that "network.IDN_show_punycode" in the about:config of Firefox ?

      --
      Non-Linux Penguins ?
    3. Re: It's not unicode - DNS uses punycode by PhunkySchtuff · · Score: 1

      They are no less trustworthy than any other registrar offering domain verified certificates. Given the short lifespan of the certs, they're slightly more secure.

      --
      Specialist Mac support for creative pros, Melbourne
    4. Re:It's not unicode - DNS uses punycode by thegarbz · · Score: 1

      For the less technical but still English speaking you should be fine as long as you only visit sites with HTTPS. No reputable CA should be signing EV certs

      Okay stop right there. Is that advice there? Do you go tell your grandma that HTTPS is safe? I think what you meant to say is that you should examine the EV certificate of every site you want to hand credentials to.

      I just realised... are we even on Slashdot or is some MITMer stealing my Slashdot login on this fraudulent lookalike site?

    5. Re:It's not unicode - DNS uses punycode by thegarbz · · Score: 1

      Let's Encrypt will happily do it.

      Lets Encrypt does not and will not issue EV certificates.

    6. Re:It's not unicode - DNS uses punycode by omnichad · · Score: 1

      Missed two letters. Average end user doesn't even notice when a major site isn't EV, so it makes little difference.

    7. Re:It's not unicode - DNS uses punycode by thegarbz · · Score: 1

      Average end user doesn't even notice when a major site isn't EV

      It is literally the difference between a greenlock, and half the URL bar lit up in bright green displaying the full registered company name.

      It is a far more obvious change than an s in the URL, or a tiny colour. In some browsers an EV certificate will replace the entire URL. This is about the most obvious thing available in terms of informing users about encryption that we have come up with. Users have historically taken on the in retrospect incorrect advice of looking for the encryption lock leading to fraudsters obtaining DV certificates in an attempt to continue to look legitimate.

      It is 2018. The age of blaming users for being blind is over. Vendors have provided the tools to very easily identify the information needed and it is now up to me and you to educate users about what to look for in their legitimacy of their website.

      Seriously it doesn't take much effort. Which one is more legit when displayed to the user:
      Secure: https://www.banksofaamerica.co...
      Bank of America Corporation [US]: https://www.bankofamerica.com/

      Claiming the users can't tell the difference is just silly.

    8. Re:It's not unicode - DNS uses punycode by daq4th · · Score: 1
      Not true. Chrome displays punycode on a risk based score, and the rules get stricter every release.

      Older versions displayed slashdot.org as IDN, newer version only punycode. (I wasn't able to get the U+013C LATIN SMALL LETTER L WITH CEDILLA character through the comment system)

      And .org domains have more strict registry rules for example then .com, but there are risky domains even in .org namespace.
      You can play on dom.****.com with some tlds and allowed scripts.

  8. Old news by sgunhouse · · Score: 3

    I remember this was a big deal - what, 10 years ago. Various desktop browsers implemented features to make the real URL of websites more obvious and then a variety of TLDs were certified as not allowing such domain name spoofing. Everything old is new again, huh?

    1. Re:Old news by mcswell · · Score: 3, Informative

      Right. Here's an article on the topic (and a solution) dated *2011*: https://www.symantec.com/conne.... Or read about it in the Wikipedia, with references going back to *2002*: https://en.wikipedia.org/wiki/....

      I would hazard a guess that every one of those "8,000 separate characters that could be abused to confuse people" has been known for a least a decade. News my eye.

  9. Yup by Trogre · · Score: 2

    Never saw that coming.

    Not at all.

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    1. Re:Yup by viperidaenz · · Score: 2

      I googled how to disable IDN in browsers and it returned an article from 2005 about Firefox disabling support for IDN due to phishing concerns
      https://news.netcraft.com/arch...
      Netcraft confirmed it.

  10. disable idn in your browser... by Anonymous Coward · · Score: 3, Informative

    in firefox's about:config page

    set network.IDN_show_punycode to true

    to force firefox always use the punycode, e.g:
    https://www.xn--80ak6aa92e.com...

    good write-up here (where the above example, which looks like 'www.apple.com' comes from):

    https://www.xudongz.com/blog/2...

  11. "any" by v1 · · Score: 1

    "Any lower case letter can be represented by as many as 40 different variations."

    Mixing upper and lower thresholds in one sentence - please stop doing that. That's just like "Save up to 95% on select in-store items!" It's completely meaningless other than to attempt to grab attention. It's just abusing a typically small number of outliers to suggest a much broader fact.

    --
    I work for the Department of Redundancy Department.
  12. Re:and the old is new again ... by gl4ss · · Score: 1

    well the old farts put the identical looking characters into the set for to be used for domain names.

    how the fuck are you supposed to even know that? I mean for non techies and even techies.

    I mean, Microsoft.com is easy enough to tell from Mlcrosoft.com. but if it looks the same, how would you know? you're not going to be hand writing every hyperlink again now are you?

    --
    world was created 5 seconds before this post as it is.
  13. Dear browser makers by viperidaenz · · Score: 4, Insightful

    Give an option to disable the display of IDN's. Instead display the "Punycode" translation of the name.
    Better yet, default that for English and any other language that doesn't require non-ascii characters.

    1. Re:Dear browser makers by Anonymous Coward · · Score: 3, Informative

      In Firefox:

      1. about:config

      2. network.IDN_show_punycode set as "true"

      This will force the display of the “raw” punycode version of internationalized domain names, with the xn- prefix so it's obvious.

      http://kb.mozillazine.org/Network.IDN_show_punycode

      It's crazy to browse without setting this true, unless you want people to spoof homographic punycoded URLs in phising attacks on your browser.

  14. Re:Same old news by omnichad · · Score: 1

    You cannot have a browser that doesn't leak memory because of the complexity of "the DOM". Websites are insecurable because of the way html is written and driven.

    Abandoning XHTML for html5 (anything goes edition) was maybe the worst move in w3c history. And I'm saying that as someone who doesn't really like XML.

  15. Wasn't really W3C's choice to make by raymorris · · Score: 1

    W3C didn't really have much choice in the matter. They rejected to the two proposals that were later merged to become HTML5. The browser vendors and others went off and formed WHATWG to develop HTML5, saying the would not implement XHTML 2.0.

    The mistake, or lack of foresight, was made much earlier, in the design of XHTML 1.0. That required a rewrite that wasn't backward compatible, XHTML 2.0, which didn't meet the needs of the way the web was evolving.

  16. Is there a use case for mixed-alphabet domains? by fuzzyfuzzyfungus · · Score: 2

    I can understand the logic behind adding support for characters that weren't necessarily a priority back when the internet was a DARPA and some mostly anglophome universities project; but are there any non-scam/amusing novelty use cases for mixed alphabet domain names?

    I ask in sincere curiosity. With the possible exception of non-latin alphabets used alongsiide hindu-arabic numerals; I can't think of any situations where a human natural language is written such that it would use domain nes that are a mixture of multiple alphabets from a Unicode perspective(and, if there were such a language, it would arguably be on Unicode to fix that by assigning the necessary codepoints to the alphabet currently being cobbled together out of several: since Unicode is about glyphs rather than fonts the fact that the same symbol is used doesn't make it the same thing for Unicode purposes, as with all the Greek letters that get one codepoint as mathematical symbols and another as Greek letters, or the visually identical overlaps between Latin and Cyrillic that get coded as completely distinct things because they are.); but what I don't know about linguistics and contemporary natural language usage is very much not an impressive arguement.

    Are there any legitimate/expected use cases; or should a domain name cobbled together from multiple alphabets be treated as deeply suspicious in essentially all cases?

  17. hmm by cascadingstylesheet · · Score: 1

    Been going on for quite awhile, hasn't it?

  18. Re:and the old is new again ... by houghi · · Score: 1

    Is that a lowercase L or an uppercase i? lIlIlIIIlll

    --
    Don't fight for your country, if your country does not fight for you.
  19. Not exactly new news. by Mike+Van+Pelt · · Score: 1

    See the uproar over the {U+0262}oogle.com domain a couple of years ago. The merry Russian prankster doing that was just playing "Hey! Look what I did! Ha Ha Ha!" with it, whoever he could get to click on it, but it was certainly obvious then that it could be used for nefarious purposes.

  20. Microsoft fixed this by aberglas · · Score: 1

    I use there font Verdana where possible -- the letters all look different.

    Th lI is bullshit that every font designer believes in.