Gosh that’s old. The original paper was from 2001, the Shmoo group wrote about it in 2005 - <a href="https://blogs.oracle.com/yakshaving/entry/so_not_funny_shmoo_group" rel="nofollow">https://blogs.oracle.com/yakshaving/entry/so_not_funny_shmoo...</a> - and Joi Ito and I were able to register Veriѕign.com then, to highlight how their greedy mismanagement of .com made this possible.<p>Three possible solutions, not mutually incompatible:<p>* Make the browsers catch it - Chrome just shows characters that look like apple.com here, and shouldn’t.<p>* Whitelist character sets that are allowed to be mixed, at the registry level - it should only be possible to mix cyrillic-latin homoglyphs with cyrillic non-homoglyphs.<p>* Don’t allow IDNs on gTLDs - if you want “écriture”, get écriture.fr, not .com<p>Obviously, the registries have a conflict of interest here, and won’t let 2 and 3 happen on .com because it would cut into Verisign's revenue.<p>See also <a href="https://en.wikipedia.org/wiki/IDN_homograph_attack" rel="nofollow">https://en.wikipedia.org/wiki/IDN_homograph_attack</a>
Do unicode URLs actually provide any real value? Every web user must be already used to typing Latin characters because so many major websites use them. So nobody would be excluded by that. Whereas, any non-Latin character is going to be nearly impossible for most of the world to enter.<p>A particularly terrible language is Chinese where most old people can't type the characters even though they can type Latin letters. That's because you have to deliberately invest time to sit down and learn an input method which is a non-trivial endeavor that takes weeks of effort and old people just aren't going to go back to school for that.
Ouch. This is a good one.<p>Whilst it's easy to say "Just enable punicode always"
People that use the web in different languages lose a lot of functionality because of it.<p>I could imagine a solution would be to collect a list of homogliphs then when the browser suspects an overlap it does a search for similarly spelt sites then warns the user of the possibility of the site being an imitation.
Of course then also converting the URL in the address bar to punicode.<p>What other ideas are there?
Safari just displays it as "<a href="https://www.xn--80ak6aa92e.com"" rel="nofollow">https://www.xn--80ak6aa92e.com"</a> whereas Chrome (Version 57.0.2987.133 (64-bit)) displays it as the author intended.