Watch out: ɢoogle.com isn’t the same as Google.com

206 点作者 lucodibidil超过 8 年前

23 条评论

rurban超过 8 年前

What about ‮goog‬le.com which is really <U+202E>goog<U+202C>le.com :)TR36 bidi spoofs are usually worse than TR39 confusables. Move over with your cursor over it. <a href="http://www.unicode.org/reports/tr36/#Bidirectional_Text_Spoofing" rel="nofollow">http://www.unicode.org/reports/tr36/#Bidirectional_Text_Spoo...</a>That's why browsers or dns tools use libidn, just programming languages not.

a3n超过 8 年前

This is strange to me. This is clearly meant, in unicode, to be 'G' that we all know and love. It has uselessly expanded "the alphabet" (to be western-centric) in a confusable way.Unicode maybe should have been three dimensional, with "concept of G" in the 2D space, and "ways of representing G" behind G, along the third axis. All ways of representing G, whether little capital, capital, lower case, would or at least could equate to conceptual G in the 2D space.

评论 #13008241 未加载

评论 #13008158 未加载

评论 #13007334 未加载

评论 #13007301 未加载

评论 #13007343 未加载

donquichotte超过 8 年前

Some time ago I registered <a href="http://www.goolge.io/" rel="nofollow">http://www.goolge.io/</a>. Still haven't done anything with it, I guess at some point I'll just redirect it to duckduckgo. [EDIT: now it's redirected to duckduckgo.]This can of course be used in a malicious way. I thought about rebuilding the homepage of the bank Credit Suisse on www.credit-siusse.ch, but that's probably illegal.

评论 #13005334 未加载

评论 #13005333 未加载

评论 #13005274 未加载

Entangled超过 8 年前

Web browsers should have an option to show non-ascii chars in urls in red.

评论 #13005136 未加载

评论 #13005404 未加载

评论 #13005548 未加载

评论 #13005284 未加载

评论 #13006478 未加载

评论 #13005041 未加载

评论 #13005359 未加载

评论 #13013147 未加载

评论 #13004948 未加载

cjrd超过 8 年前

Proud owner of <a href="http://gïthub.com" rel="nofollow">http://gïthub.com</a> checking in...

评论 #13015434 未加载

评论 #13008669 未加载

TazeTSchnitzel超过 8 年前

<a href="https://en.wikipedia.org/wiki/IDN_homograph_attack" rel="nofollow">https://en.wikipedia.org/wiki/IDN_homograph_attack</a>

评论 #13005554 未加载

orbitur超过 8 年前

This is something that's been bugging me for years.Why are there multiple representations of alphabet characters in Unicode? It seems reasonable to include accent marks, but what's the benefit in having a Cyrillic 'o' alongside a standard 'o' or the 2 or 3 other ASCII-lookalike sets of characters?

评论 #13007120 未加载

评论 #13006360 未加载

评论 #13005889 未加载

评论 #13006618 未加载

评论 #13005848 未加载

评论 #13005923 未加载

ergot超过 8 年前

For me it just redirects to<pre><code> http://money.get.away.get.a.good.job.with.jack.ilovevitaly.com </code></pre> The actual domain is <a href="http://xn--oogle-wmc.com/" rel="nofollow">http://xn--oogle-wmc.com/</a>Which is an Internationalized domain name[1] in punycode transcription[1] <a href="https://en.wikipedia.org/wiki/Internationalized_domain_name" rel="nofollow">https://en.wikipedia.org/wiki/Internationalized_domain_name</a>The G in question here is<a href="https://en.wiktionary.org/wiki/%C9%A2" rel="nofollow">https://en.wiktionary.org/wiki/%C9%A2</a>OR<a href="http://charcod.es/#%C9%A2/610" rel="nofollow">http://charcod.es/#%C9%A2/610</a>

评论 #13005015 未加载

评论 #13006406 未加载

Kenji超过 8 年前

Unicode URLs are the devil. Too many indistinguishable characters. URLs should stay full ASCII imho. And I say that as someone whose language requires non-ASCII symbols.Or, in Bruce Schneier's words: "Unicode is just too complex to ever be secure."

评论 #13006299 未加载

underyx超过 8 年前

It was a pretty nice surprise that when sending this URL in Slack it was automatically converted to `xn--oogle-wmc.com`.

评论 #13005227 未加载

评论 #13005203 未加载

SamWhited超过 8 年前

There has been talk at the IETF of redefining IDNA2008 (the current way you prevent issues like this) in terms of the PRECIS framework (RFC 7564). This wouldn't exactly "solve" the problem, but it would mean that IDNA could be more agile with respect to Unicode versions and would make it easier to react to new problems, new confusable characters, etc. as they happen.

vbezhenar超过 8 年前

What about Googlé.com and infinite number of other variations?

评论 #13005271 未加载

joncrocks超过 8 年前

I believe now that browsers have support for non-ascii URLs, each of them have schemes for anti-phishing.See <a href="https://www.w3.org/International/articles/idn-and-iri/" rel="nofollow">https://www.w3.org/International/articles/idn-and-iri/</a>and <a href="https://wiki.mozilla.org/IDN_Display_Algorithm" rel="nofollow">https://wiki.mozilla.org/IDN_Display_Algorithm</a>plus <a href="http://www.chromium.org/developers/design-documents/idn-in-google-chrome" rel="nofollow">http://www.chromium.org/developers/design-documents/idn-in-g...</a>

评论 #13005642 未加载

hannele超过 8 年前

Ahh, the old classic, PayPaI: <a href="https://en.wikipedia.org/wiki/PayPaI" rel="nofollow">https://en.wikipedia.org/wiki/PayPaI</a> (uppercase 'i')

alessioalex超过 8 年前

This just redirects me to <a href="http://xn--oogle-wmc.com/" rel="nofollow">http://xn--oogle-wmc.com/</a> so I know it's not the real google (using Chrome).

cesis超过 8 年前

Why Google analytics isn't filtering out this referral spam?

评论 #13006328 未加载

jahewson超过 8 年前

Browsers already blacklist many visually similar characters, it seems that the IPA characters need to be added to that list.

chaz6超过 8 年前

I thought there were supposed to be registry rules preventing similar looking names to be registered as an idna. I guess not.

评论 #13005113 未加载

评论 #13005338 未加载

Programmatic超过 8 年前

I'm not sure how feasible this is, but wouldn't it make sense for .com/.net/etc to be latin alphabet only and allow other domains to be localized with unicode? I wouldn't really have a problem with 新浪首页.cn, and I doubt I would confuse ɢoogle.ru or whatever with google.com

评论 #13006601 未加载

Roboprog超过 8 年前

Cool! I want a cool non-alpha unicode domain. I guess "square-root" is already taken, but there must be some cool domains left (even though nobody can actually type them in).Actually, some of these would probably be nice aliases for some math / science oriented sites.E.g. - .com

评论 #13006738 未加载

hannele超过 8 年前

I'm curious, why is it allowed to register domain names with mixed character sets? I am behind allowing Unicode characters in domain names for the obvious reasons, but are there compelling use cases for allowing them to be mixed?

评论 #13006769 未加载

reacweb超过 8 年前

Maybe browser should have a security option to whitelist characters in URL. When a URL uses another character, there would be popups with explanations and choices.

transfire超过 8 年前

Oh, you mean Unicode Sucks(TM)? Yes. Yes it does.

23 条评论

rurban超过 8 年前

a3n超过 8 年前

评论 #13008241 未加载

评论 #13008158 未加载

评论 #13007334 未加载

评论 #13007301 未加载

评论 #13007343 未加载

donquichotte超过 8 年前

评论 #13005334 未加载

评论 #13005333 未加载

评论 #13005274 未加载

Entangled超过 8 年前

Web browsers should have an option to show non-ascii chars in urls in red.

评论 #13005136 未加载

评论 #13005404 未加载

评论 #13005548 未加载

评论 #13005284 未加载

评论 #13006478 未加载

评论 #13005041 未加载

评论 #13005359 未加载

评论 #13013147 未加载

评论 #13004948 未加载

cjrd超过 8 年前

Proud owner of <a href="http://gïthub.com" rel="nofollow">http://gïthub.com</a> checking in...

评论 #13015434 未加载

评论 #13008669 未加载

TazeTSchnitzel超过 8 年前

<a href="https://en.wikipedia.org/wiki/IDN_homograph_attack" rel="nofollow">https://en.wikipedia.org/wiki/IDN_homograph_attack</a>

评论 #13005554 未加载

orbitur超过 8 年前

评论 #13007120 未加载

评论 #13006360 未加载

评论 #13005889 未加载

评论 #13006618 未加载

评论 #13005848 未加载

评论 #13005923 未加载

ergot超过 8 年前

评论 #13005015 未加载

评论 #13006406 未加载

Kenji超过 8 年前

评论 #13006299 未加载

underyx超过 8 年前

It was a pretty nice surprise that when sending this URL in Slack it was automatically converted to `xn--oogle-wmc.com`.

评论 #13005227 未加载

评论 #13005203 未加载

SamWhited超过 8 年前

vbezhenar超过 8 年前

What about Googlé.com and infinite number of other variations?

评论 #13005271 未加载

joncrocks超过 8 年前

评论 #13005642 未加载

hannele超过 8 年前

Ahh, the old classic, PayPaI: <a href="https://en.wikipedia.org/wiki/PayPaI" rel="nofollow">https://en.wikipedia.org/wiki/PayPaI</a> (uppercase 'i')

alessioalex超过 8 年前

This just redirects me to <a href="http://xn--oogle-wmc.com/" rel="nofollow">http://xn--oogle-wmc.com/</a> so I know it's not the real google (using Chrome).

cesis超过 8 年前

Why Google analytics isn't filtering out this referral spam?

评论 #13006328 未加载

jahewson超过 8 年前

Browsers already blacklist many visually similar characters, it seems that the IPA characters need to be added to that list.

chaz6超过 8 年前

I thought there were supposed to be registry rules preventing similar looking names to be registered as an idna. I guess not.

评论 #13005113 未加载

评论 #13005338 未加载

Programmatic超过 8 年前

评论 #13006601 未加载

Roboprog超过 8 年前

评论 #13006738 未加载

hannele超过 8 年前

评论 #13006769 未加载

reacweb超过 8 年前

Maybe browser should have a security option to whitelist characters in URL. When a URL uses another character, there would be popups with explanations and choices.

transfire超过 8 年前

Oh, you mean Unicode Sucks(TM)? Yes. Yes it does.