With all the hype around the soon to be standardized multilingual top level domains and IDNs (internationalized domain names), how good are you in telling the difference between a legitimate domain and a phishing name? Ready? Go!
Which one is legit: paypal.com or рayрal.com? Can’t tell the difference?
The р in the latter domain name (also in the title, by the way) is a Cyrillic glyph that looks identical to the Latin p. There are tons of glyphs from various scripts that are identical. With the exception of Middle-Eastern and East-Asian scripts and some archaic languages, all modern scripts bear a great resemblance to each other.
While phishing filters are designed to look at long domain names such as paypal.com.phishing.com and we are all used to ensuring that the domain name we land on is legit, we are incapable of detecting identically looking glyphs from different scripts.
Never thought magnifying glasses could be a cool security feature, did you?
There must be a way for browsers to detect which characters in a URL are not standard western characters.
If this is possible then browsers should underline (or something similar) characters in the address bar/URL which _aren’t_ in the latin/roman alphabet. This will make it easy for the end-user to know if they are actually on the correct website or if they’re on a scam/phishing site.
Phishing filters should have no problem identifying spoofed web addresses, since they compare character codes. Browsers too, as Simon comments, could be patched to [optionally] highlight unusual characters or the whole URL. This would be a good feature, even if not for phishing detection.
@Fawzi, thanks for the info!
I am paranoid, I NEVER click on a link in an email!
@Simon and @Thomas, let’s hope that all major browsers implement your suggestions!
If you’d tested this in a browser, you’d know that this is a solved problem: FF 3.5, IE 8.0, and Chrome 4.0 all show the punycode version of the domain, both in the address bar (if you click) and the status bar (if you hover over a link.) No idea what earlier versions of these, or Safari and Opera, do.
While punycode won’t be particularly pretty for the new TLDs, that too is solvable: just embed a list of which TLDs use which character sets in the browser. New domains can be handled by an update process.