earlier replies
Replying to @ManishEarth
Seems like the most devious "ascii-lookalike" ones probably have apparent ratios, but I don't know how this works for other scripts
1
Like, I imagine that there's potentially subtle swaps outside of Latin chars that's also dangerous? Not sure. Wouldn't want to ignore if so
1
You could have a "did you mean?/warning" type thing based on historical domains on the assumption intended domains are visited pre-phish but
1
I mean, scripts like Vietnamese use Latin bases with tiny squiggly diacritics. Not straightforward.
1
1
What homograph problem do Vietnamese diacritics pose?
1
Same as é and stuff, really, but harder to notice (ơ looks like a speck of dust).
2
If the problem being solved is users ignorant of Latin diacritics to the point of mentally filtering them out, that's hard to solve indeed.
2
1
Actually, it’s easy: require that names that differ only in diacritics belong to the same registrant. .fi at least used to require this.
1
1
Which, of course, requires TLD policy to put security ahead of greed, which is a problem given the MO of ICANN.
1
1
Hah. Agreed. This is the *correct* solution, but registrars aren't impling it, which is why browsers have stepped up (and should continue)
1
1
Replying to @ManishEarth @hsivonen @tmslft
Yeah, our original policy was to whitelist registrars with good policies, but that ended up incompatible with other browsers (& no .com!)

Apr 17, 2017 · 11:23 AM UTC
1
4