Pages:
Author

Topic: Punycode and how to protect yourself from Spoofed URLs and fake websites. - page 2. (Read 1122 times)

legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
...I think that browsers should definitely show these codes by default, or at least have better algorithms that detect when the user is visiting a fraudulent site. Of course it is impossible to keep up with these phishers 100% all the time, but it should at least get periodically updated (this sort of scam has been around for a while now)...

Exactly, I was wondering about the exact same thing which is why the hell browsers just don't implement something which will show the real URL, message in a popup or something else which will be really helpful and easy to use and understand. Despite everything as for now, there is no solution provided from browsers creators and all I found was a couple of addons and already written about this a couple of posts above.

...The majority of these phishing sites come from google ads as far as I know. You should never click on any of them. Even top search results can sometimes contain these sites if the site is relatively new...

This is, of course, true what you have written but outside Google Ads are also plenty of them. I have Ad blockers installed (uBlock Origin) and still already was a couple of times on such phishing websites that use Punycode and Homograph Phishing attacks to steal your passwords and only thanks to my password manager I haven't shared it.

I think we have to prepare for even the worst situation in the future because phishing websites count is growing with insane speeds. Today I have read a great post about this subject in this thread: Re: Half of all Phishing Sites Now Have the Padlock Sign
member
Activity: 476
Merit: 92
...Congrats for the Legendary and welcome in the Club !  Cool..

CONGRATUALTIONS!!!

You finally did it. Amazing achievement taking into consideration that this only took 2 years.
As you see I am back after so long again because of you. I will to be more active because is a shame to left this account after so much work I already did.
One more time thank you for everything you did for me on the forum and sorry for all the problems you had because of me.

I see that your posting skills are indeed on a much higher level and hovering merits is now for you something common.
This Punnycode thread is one of best I have read lately about security breaches on Bitcointalk forum, kudos for that.
legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
Great post and thread , sadly i have just seen it now lol  Cheesy !

Nice information and explain about the whole thing , respect !

This deserved 3 Merits from me to you  , so you Hit now the Legendary Rank with it !


Congrats for the Legendary and welcome in the Club !  Cool

Regards Lafu

Thank you very much Lafu!!!

This is a real achievement for me, so I will remember this first post as a Legendary member and those 3 merits which made it possible for a very long time, probably forever  Cheesy.

After so many years, I finally got to the most famous Legendary club, it's a little hard to believe, that it is right now and on the other hand it lasted for so long.

Mission accomplished 
legendary
Activity: 3136
Merit: 3213
Great post and thread , sadly i have just seen it now lol  Cheesy !

Nice information and explain about the whole thing , respect !

This deserved 3 Merits from me to you  , so you Hit now the Legendary Rank with it !


Congrats for the Legendary and welcome in the Club !  Cool

Regards Lafu
hero member
Activity: 1666
Merit: 753
Extremely comprehensive guide. I did know of these phishing websites before but didn't know the exact method that scammers seem to do this by.

I think that browsers should definitely show these codes by default, or at least have better algorithms that detect when the user is visiting a fraudulent site. Of course it is impossible to keep up with these phishers 100% all the time, but it should at least get periodically updated (this sort of scam has been around for a while now).

The majority of these phishing sites come from google ads as far as I know. You should never click on any of them. Even top search results can sometimes contain these sites if the site is relatively new. As others would have probably suggested, even though bookmarks may seem like a hassle, they are definitely worth it.
hero member
Activity: 2268
Merit: 588
You own the pen
This is some scary phishing technique, another worth thread to post on my daily news today. I'll make them aware of this kind of phishing.
A few months ago I entered a fake Bitcointalk site but instead of .org the fake one is .to I'm close to getting hack by that site because I am already in the login window. I was about to sign in when I see something strange with the domain name and read it again, Damn, it was not the original site rather it's the fake one.

Base on your examples they are only interested in hacking Big exchanges account, If they make something like a Bitcointalk site, many users will fall and become victims with this kind of phishing. That's why I need them to be aware of this kind of stuff.
legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
Today I found that there are a couple of addons for Google chrome and other browsers that are vulnerable to the Punycode and  Homograph Phishing attacks.

PhishProtect Beta: Free open-source tool to protect against homograph attacks and zero-day phishing powered by AI and Computer Vision. The tool redirects the browser to a warning page when IDN/Unicode URL or zero-day phishing website is detected and the full Punycode (ASCII) representation is displayed.
https://chrome.google.com/webstore/detail/phishprotect-beta/mikecfgnmakjomepfcghpbhfamjbjhid

Punycode alert: extension that alerts you when a Unicode URL has been opened preventing phishing attacks.
URLs can be registered in Unicode and some scams can be made with URLs looking like official websites. This extension alerts you when the URL is of this kind.
https://chrome.google.com/webstore/detail/punycode-alert/odbbcdajedbapmgpgfacfigdpbdahenh

These two are not known so much but have a couple of thousands of users but is hard to tell something more about them and to find more info or reviews online.

The last addon I found is Punycode Domain Detection and is the most known from these three. I found a couple of articles about it. Developed by Phish.ai and released a Google Chrome extension that can detect when users are accessing domains spelled using non-standard Unicode characters and warn the users about the potential of a homograph attack.



Here link: https://chrome.google.com/webstore/detail/punycode-domain-detection/fkenopinnpinfcjneoanjoimhkmdcjne

If you wish to read more here is the article I used as a source for information: https://www.bleepingcomputer.com/news/security/chrome-extension-detects-url-homograph-unicode-attacks/
legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
Another scary example of Punycode phishing attack in use: Real PayPal.com Versus Fake PayPal.com.



If the domain, created using Cyrillic scripts "raural.com" was registered, the way that Unicode-browsers will actually render that domain in Latin is as "paypal.com."

In theory, phishers could pass around that link and set up a fake version of the PayPal site to harvest logins and credit card data.

Not all Latin letters are represented in Cyrillic, for instance, but for companies that can have their brand compromised, we hope they look at locking those domains up quickly.

Pretty scary, no?


https://mashable.com/2010/01/01/idn-phishing/?europe=true#QqNLPKgAhmqM
legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
You actually spent significant amount of time to make the thread, that gives some information I did not know...

You are right that it took a while but this doesn't matter if I know that I shared information you were not aware of  Cheesy, especially about Punycode, which is one of the biggest threats to our online security lately. Even if you know about it, sometimes these URLs are so similar that is hard to tell if this is phishing attack or an original site.

I know because I was already exposed to such a Homograph phishing attack on a fake exchange website, but luckily password manager saved me because haven't automatically filled the username and password, which was a red flag for me, because all important websites are stored in the password manager. I always login automatically and even don't remember passwords because they are created by the password manager and very complex. Still, I haven't realized that this is a phishing site and tried a couple of times to get the password filled by the browser and to log in before I understood that I am on phishing website which uses Punycode Homograph attack to steal my passwords.

I knew about this threat from some time, anyways hackers almost got me. This is why I wrote this thread because I understand that if somebody is not aware of this threat, then there is a big chance that sooner or later will be a victim of a phishing website which uses Punycode to change the URLs.
legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
...I think you can make your visual examples better by crop unused parts in order to display the part of phising sites with punny codes. Focusing on the part of phising sites' addresses...

Thank you very much for this suggestion. This is true and I have already changed the sizes of screens, not only in this thread but in many others, which I have already published.

To be honest I never changed the size only published screen as it was but I see it was a mistake because posts look so much better when everything is big or small enough and match the rest.

Is much easier to see the details if needed and the post is not so extended because of the big screens. As I said already changed a couple of my threads and they look a lot better now.

Thanks mate  Wink.
legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
@wwzsocki
I also added your Punycode topic link to my Quizzes topic:
[LEARN] Phishing Quizzes - Beginners & Experts

Thank you very much for the links spread.

We have to keep informing people about these threats because the situation is getting only worse with time.

To be honest, if you don know about Punycode and how to protect yourself from Homograph Phishing attacks, you can be very easy a victim of a faked website.

Even for a trained eye is sometimes very hard to spot the difference, like with this Binance example which is my favorite  Wink.

The most tricky phising website i've heard was this one. Looks like Binance.com but there are no "n" . This is strange n with dot at the bottom.


source

How to deal with such a phishing address? Those dots are almost unnoticeable.
legendary
Activity: 2212
Merit: 7064
One more Punycode example reported
with stéllar and medim websites

More information in Scam Accusations:
https://bitcointalksearch.org/topic/stellar-scam-punycode-keybase-hack-airdrop-fiasco-5186085

PS
@wwzsocki
I also added your Punycode topic link to my Quizzes topic:
[LEARN] Phishing Quizzes - Beginners & Experts
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
Well done!
You collected nice visual examples, but I think you can make your visual examples better by crop unused parts in order to display the part of phishing sites with punny codes. Focusing on the part of phishing sites' addresses. By looking your current images, readers are unable to imagine how punny codes works on phishing sites.  Cheesy
legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
Screenshot of a suspected Facebook phishing website, another Punycode Homograph Phishing attack.



Only this time is much easier to see that something is wrong with these Facebook pages, even for an untrained eye, because the SSL certificates are bad and displayed in red.



I hope that all these examples will help to identify Punycode phishing attacks. One has to check everything three times to be safe online today and there are no shortcuts.


https://www.farsightsecurity.com/txt-record/2018/01/17/mschiffm-touched_by_an_idn/


legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
Here another great example of Punycode Homograph Phishing attack. This time Ploniex exchange is targeted. Just look how similar it looks compared to the original page.



The only difference between the original page and this malicious one is that the hacker misspelled the phrase "Sign in" as "Sing in" a couple of times.

What is different in this attack is that the SSL certificate is shown as valid:



Of course is a valid SSL because this is relatively easy to do for experienced hackers, especially when Homographs are used to change the URL.

https://www.farsightsecurity.com/txt-record/2018/01/17/mschiffm-touched_by_an_idn/

legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
Nice and informative article @wwzsocki. I found an article where it says how to avoid Punycode attacks and also who all are affected by that. I would like to include that here. Some of the examples of Punycode attacks with big brands -



Check the 7 Ways to avoid a Punycode attack -

  • Be cautious if the site presses you to do something quickly. This is a classic strategy by hackers to rush their potential victims so that they are less likely to notice anything suspicious. Often they will offer a ‘limited time only’ deal, and make it difficult to exit the page with ‘are you sure you want to exit’ pop ups: these are all tactics to make you stay on their site longer and give them your details.
  • If you are being offered a deal, go to the original company site and check if it’s available there as well, if not it’s mostly likely a scam doing it’s best to mimic the established brand and trick visitors into handing over their details.
  • If some of the letters in the address bar look weird, or the website design looks different, rewrite it or visit the original company URL in a new tab to compare. The letters in the address bar looking strange is a key indicator that punycode is being used to trick you into thinking you are visiting a well-established brand site when in fact you are being taken to a malicious site.
  • Use a password manager; this reduces the risk of pasting passwords into dodgy sites.
  • Force your browser to display Punycode names, this option is available in Firefox.
  • Click on the padlock to view and inspect the HTTPS certificate.
  • Use a mobile security solution and artificial intelligence to monitor all data traffic and to detect and block phishing links.
Source: Punycode attacks - the fake domains that are impossible to detect

Thanks for this comment and info. I already awarded you with merit and will use it in my OP if you don't mind?

I want to add all these points from "7 Ways to avoid a Punycode attack". I think it will make this article complete when I will add it in the end.
legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
I tried to see if I could locate some stats on punycode being used on phishing sites, bute the closest I managed to retrieve is this (see https://www.infosecurity-magazine.com/news/fake-homograph-domains-iincrease/):

In this article, I found a link to a very detailed report from Farsight Security about Punycode threat: https://www.farsightsecurity.com/txt-record/2018/01/17/mschiffm-touched_by_an_idn/

There is a lot of info with examples of phishing sites like: Poloniex, Facebook, Kraken, Bittrex, Coinbase and more, even with working SSL certificates.

DON'T USE ANY OF THESE LINKS - MALICIOUS WEBPAGES!!!

Quote
Appendix B: Suspicious IDNs
The following are a subset of the IDNs we observed.
ns1.xn--aobe-l6b.com.                 -->        ns1.aɗobe.com.
ns2.xn--aobe-l6b.com.                 -->        ns2.aɗobe.com.
mail.xn--adoe-x34a.com.               -->    mail.adoḅe.com.
xn--adob-yva.com.                     -->    adobė.com.
xn--adoe-x34a.com.                    -->    adoḅe.com.
xn--aobe-qua.com.                     -->    aďobe.com.
xn--dobe-p5b.com.                     -->    ɑdobe.com.
APPLE

mail.xn--pple-zna.com.                -->        mail.àpple.com.
ns1.xn--appl-ou5a.com.                -->        ns1.applẹ.com.
ns2.xn--appl-ou5a.com.                -->        ns2.applẹ.com.
www.xn--le-m1aa24e.com.               -->        www.ɑƿƿle.com.
www.xn--pple-9na.cf.                  -->        www.âpple.cf.
www.xn--ppl-hla7b.cf.                 -->        www.âpplê.cf.
xn--ppl-hla7b.cf.                     -->        âpplê.cf.
www.xn--app-mra30o.com.               -->        www.appɩė.com.
xn--aple-csa.com.                     -->        apþle.com.
xn--appl-8va.com.                     -->        applę.com.
xn--appl-yva.com.                     -->        applė.com.
www.xn--le-m1aa24e.com.               -->        www.ɑƿƿle.com.
AMAZON

www.xn--amazo-7l1b.com.               -->        www.amazoṇ.com.
www.xn--amazo-vl1b.com.               -->        www.amazoṅ.com.
www.xn--amzon-ucc.com.                -->        www.amȧzon.com.
www.xn--mazon-2qa.de.                 -->        www.âmazon.de.
www.xn--mazon-2qa.eu.                 -->        www.âmazon.eu.
www.xn--mazon-wqa.com.                -->        www.ámazon.com.
www.xn--mzn-plab3i.com.               -->        www.ämäzön.com.
xn--amaon-6y1b.com.                   -->        amaẓon.com.
xn--amaon-7hb.com.                    -->        amaźon.com.
xn--amazo-sta.com.                    -->        amazoñ.com.
xn--amazo-vl1b.com.                   -->        amazoṅ.com.
xn--amzon-sqa.com.                    -->        amàzon.com.
xn--amzon-ucc.com.                    -->        amȧzon.com.
BANK OF AMERICA

www.xn--bakofamerica-qfc.com.         -->        www.baŋkofamerica.com.
mail.xn--bnkofmeric-q5aef.com.        -->    mail.bänkofämericä.com.
secure.xn--bakofamerica-qfc.com.      -->    secure.baŋkofamerica.com.
www.xn--ankofamerica-70c.com.         -->    www.ƅankofamerica.com.
www.xn--bakofamerica-qfc.com.         -->    www.baŋkofamerica.com.
www.xn--banofamerica-p7b.com.         -->    www.banĸofamerica.com.
www.xn--bnkofamerica-pob.com.         -->    www.bąnkofamerica.com.
www.xn--bnkofmeric-ggeef.com.         -->    www.bɑnkofɑmericɑ.com.
www.xn--bnkofmeric-q5aef.com.         -->    www.bänkofämericä.com.
xn--ankofamerica-70c.com.             -->    ƅankofamerica.com.
xn--bakofamerica-qfc.com.             -->    baŋkofamerica.com.
xn--banofamerica-p7b.com.             -->    banĸofamerica.com.
xn--bnkofamerica-pob.com.             -->    bąnkofamerica.com.
xn--bnkofmeric-ggeef.com.             -->    bɑnkofɑmericɑ.com.
xn--bnkofmeric-q5aef.com.             -->        bänkofämericä.com.
BITTREX

xn--bitrex-rkb.com.                   -->        bitţrex.com.
xn--bittex-zx7b.com.                  -->        bittṛex.com.
xn--bittrx-7ua.com.                   -->        bittrèx.com.
www.xn--bitrex-rkb.com.               -->        www.bitţrex.com.
www.xn--bittrx-7ua.com.               -->        www.bittrèx.com.
xn--ittrex-hrb.com.                   -->        ƅittrex.com.
www.xn--ittrex-hrb.com.               -->        www.ƅittrex.com.
xn--bttx-vpa4unq.com                  -->        bíttŕēx.com
CISCO

xn--csco-lza.com.                     -->        cısco.com.
xn--csco-qpa.com.                     -->        cìsco.com.
xn--csco-vpa.com.                     -->        císco.com.
xn--n1afa3fe.net.                     -->        cisco.net.
COINBASE

xn--cinbase-10a.com.                  -->         cõinbase.com.
xn--cinbase-90a.com.                  -->         cöinbase.com.
xn--cinbase-d0a.com.                  -->         còinbase.com.
xn--cinbase-t0a.com.                  -->         côinbase.com.
xn--coibase-6za.com.                  -->         coiñbase.com.
xn--coibase-r13c.com.                 -->         coiṇbase.com.
xn--coinbae-fqb.com.                  -->         coinbaşe.com.
xn--coinbas-8xa.com.                  -->         coinbasè.com.
xn--coinbas-pya.com.                  -->         coinbasê.com.
xn--coinbas-z8a.com.                  -->         coinbasė.com.
xn--coinbse-9wa.com.                  -->         coinbäse.com.
xn--coinbse-lwa.com.                  -->         coinbáse.com.
xn--conbase-0ya.com.                  -->         coìnbase.com.
xn--conbase-feb.com.                  -->         coīnbase.com.
xn--conbase-hza.com.                  -->         coînbase.com.
xn--conbase-pza.com.                  -->         coïnbase.com.
xn--conbase-sfb.com.                  -->         coınbase.com.
xn--oinbase-l5a.com.                  -->         ĉoinbase.com.
xn--oinbase-txa.com.                  -->         çoinbase.com.
CREDIT SUISSE

xn--crditsuisse-cbb.at.               -->         créditsuisse.at.
xn--crditsuisse-cbb.ch.               -->         créditsuisse.ch.
xn--crditsuisse-cbb.com.              -->         créditsuisse.com.
xn--crditsuisse-cbb.de.               -->         créditsuisse.de.
xn--crditsuisse-cbb.dk.               -->         créditsuisse.dk.
xn--crditsuisse-cbb.eu.               -->         créditsuisse.eu.
xn--crditsuisse-cbb.net.              -->         créditsuisse.net.
xn--crdit-suisse-ceb.at.              -->         crédit-suisse.at.
xn--crdit-suisse-ceb.ch.              -->         crédit-suisse.ch.
xn--crdit-suisse-ceb.com.             -->         crédit-suisse.com.
xn--crdit-suisse-ceb.de.              -->         crédit-suisse.de.
xn--crdit-suisse-ceb.dk.              -->         crédit-suisse.dk.
xn--crdit-suisse-ceb.net.             -->         crédit-suisse.net.
xn--credit-sisse-klb.com.             -->         credit-süisse.com.
EBAY

xn--bay-ema.com.                      -->         êbay.com.
xn--eby-fla.com.                      -->         ebáy.com.
xn--eby-bla.com.                      -->         ebày.com.
xn--eby-hsb.com.                      -->         ebɑy.com.
xn--eby-jla.com.                      -->         ebây.com.
xn--80aj7b8a.com.                     -->         eьay.com.
FACEBOOK

www.xn--acebook-js3c.com.             -->         www.ḟacebook.com.
www.xn--acebook-w1b.net.              -->         www.ƒacebook.net.
www.xn--aceook-dg7b2i.com.            -->         www.ḟaceḃook.com.
xn--acebook-js3c.com.                 -->         ḟacebook.com.
xn--aceook-dg7b2i.com.                -->         ḟaceḃook.com.
xn--faboo-5xa8ftm.eu.                 -->         faċėbooķ.eu.
xn--fabook-qva9w.eu.                  -->         faċëbook.eu.
xn--facboo-k4a3x.eu.                  -->         facėbooķ.eu.
xn--facbook-4xa.com.                  -->         facèbook.com.
xn--facbook-lya.fr.                   -->         facêbook.fr.
xn--facbook-v8a.eu.                   -->         facėbook.eu.
xn--facebok-50a.fr.                   -->         facebõok.fr.
xn--facebok-60a.tk.                   -->         faceboõk.tk.
xn--facebok-h0a.eu.                   -->         facebòok.eu.
xn--facebok-x0a.fr.                   -->         facebôok.fr.
xn--faceboo-jhb.com.                  -->         facebooĸ.com.
xn--faceboo-jhb.net.                  -->         facebooĸ.net.
xn--faceook-pm3c.com.                 -->         faceḅook.com.
xn--faebok-xua7j.fr.                  -->         façeboök.fr.
xn--faebook-35a.com.                  -->         faċebook.com.
xn--fcbook-w0a9l.eu.                  -->         fącėbook.eu.
xn--fcebook-8va.com.                  -->         fàcebook.com.
xn--fceboo-w0a91b.eu.                 -->         fącebooķ.eu.
www.xn--fabook-41a0h.eu.              -->         www.faċėbook.eu.
www.xn--fabook-xua89a.eu.             -->         www.façėbook.eu.
www.xn--facebok-60a.tk.               -->         www.faceboõk.tk.
www.xn--facebok-e1a.com.              -->         www.faceböok.com.
www.xn--facebok-h0a.fr.               -->         www.facebòok.fr.
www.xn--facebok-i0a.eu.               -->         www.faceboòk.eu.
www.xn--faceok-sg7bq0e.com.           -->         www.faceḅọok.com.
www.xn--faceook-1yb.com.              -->         www.faceƅook.com.
www.xn--faebook-35a.com.              -->         www.faċebook.com.
www.xn--faebook-64a.eu.               -->         www.faćebook.eu.
www.xn--fcebook-s3a.tk.               -->         www.fācebook.tk.
m.xn--80akppap2f62a.com.              -->         m.ғaceьooк.com.
xn--80akppap2f62a.com.                -->         ғaceьooк.com.
GOOGLE

www.xn--oole-9pb06e.com.              -->        www.ǥooɡle.com.
ww25.xn--gogle-uob.com.               -->        ww25.gơogle.com.
xn--ggle-lqaa.com.                    -->        gòògle.com.
xn--gogl-1nd42e.com.                  -->        google.com.
xn--gogle-7ta.com.                    -->        goôgle.com.
xn--gogle-jua.com.                    -->        göogle.com.
xn--gogle-kua.com.                    -->        goögle.com.
xn--gogle-uta.com.                    -->        gòogle.com.
xn--gogle-vob.com.                    -->        goơgle.com.
xn--googl-n0a.com.                    -->        googlę.com.
xn--oogl-epa71n.com.                  -->        ǵooglé.com.
xn--oogle-v1a.xyz.                    -->        ġoogle.xyz.
xn--oole-9pb06e.com.                  -->        ǥooɡle.com.
www.xn--ggl-8la1ca.com.               -->        www.gòòglè.com.
www.xn--ggle-lqaa.com.                -->        www.gòògle.com.
www.xn--gogle-uta.com.                -->        www.gòogle.com.
www.xn--googl-n0a.com.                -->        www.googlę.com.
KRAKEN

xn--80afhrc5a.com.                    -->    кгaкeп.com.
xn--krken-nra.com.                    -->    kråken.com.
xn--raken-gnb.com.                    -->    ƙraken.com.
xn--raken-n5a.com.                    -->    ķraken.com.
MICROSOFT

ww8.xn--mcrosoft-tkb.com.             -->        ww8.mıcrosoft.com.
www.xn--mcrosoft-c2a.es.              -->        www.mícrosoft.es.
windows.xn--mcrosoft-c2a.com.         -->    windows.mícrosoft.com.
ww8.xn--mcrosoft-tkb.com.             -->    ww8.mıcrosoft.com.
www.xn--icrosoft-g89c.com.            -->    www.ṃicrosoft.com.
www.xn--mcosoft-rfb211a.com.          -->    www.mıcɾosoft.com.
www.xn--mcrosof-7ya00i.com.           -->    www.mícrosofť.com.
www.xn--mcrosoft-21a.ch.              -->    www.mìcrosoft.ch.
www.xn--mcrosoft-21a.com.             -->    www.mìcrosoft.com.
www.xn--mcrosoft-21a.eu.              -->    www.mìcrosoft.eu.
www.xn--mcrosoft-21a.fr.              -->    www.mìcrosoft.fr.
www.xn--mcrosoft-9ib.com.             -->    www.mīcrosoft.com.
www.xn--mcrosoft-c2a.com.             -->    www.mícrosoft.com.
www.xn--mcrosoft-c2a.de.              -->    www.mícrosoft.de.
www.xn--mcrosoft-c2a.es.              -->    www.mícrosoft.es.
www.xn--mcrosoft-c2a.eu.              -->    www.mícrosoft.eu.
www.xn--mcrosoft-g80d.com.            -->    www.mịcrosoft.com.
www.xn--mcrosoft-l2a.com.             -->    www.mîcrosoft.com.
www.xn--mcrosoft-tkb.com.             -->    www.mıcrosoft.com.
www.xn--mcrosoft-tkb.de.              -->    www.mıcrosoft.de.
www.xn--mcrosoft-u2a.com.             -->    www.mïcrosoft.com.
www.xn--microsft-03a.com.             -->    www.microsóft.com.
www.xn--microsft-9fd.com.             -->    www.microsȯft.com.
www.xn--microsot-ez9c.com.            -->    www.microsoḟt.com.
www.xn--microsot-x9b.com.             -->    www.microsoƒt.com.
www.xn--micrsoft-y3a.com.             -->    www.micrósoft.com.
xn--icrosoft-g89c.com.                -->    ṃicrosoft.com.
xn--mcosoft-rfb211a.com.              -->    mıcɾosoft.com.
xn--mcrosof-7ya00i.com.               -->    mícrosofť.com.
xn--mcrosoft-21a.ch.                  -->    mìcrosoft.ch.
xn--mcrosoft-21a.com.                 -->    mìcrosoft.com.
xn--mcrosoft-21a.eu.                  -->    mìcrosoft.eu.
xn--mcrosoft-21a.fr.                  -->    mìcrosoft.fr.
xn--mcrosoft-9ib.com.                 -->    mīcrosoft.com.
xn--mcrosoft-c2a.com.                 -->    mícrosoft.com.
xn--mcrosoft-c2a.de.                  -->    mícrosoft.de.
xn--mcrosoft-c2a.es.                  -->    mícrosoft.es.
xn--mcrosoft-g80d.com.                -->    mịcrosoft.com.
xn--mcrosoft-l2a.com.                 -->    mîcrosoft.com.
xn--mcrosoft-tkb.com.                 -->    mıcrosoft.com.
xn--mcrosoft-tkb.de.                  -->    mıcrosoft.de.
xn--mcrosoft-u2a.com.                 -->    mïcrosoft.com.
xn--micosoft-i0d.com.                 -->    micɾosoft.com.
xn--microoft-l9c.com.                 -->    microșoft.com.
xn--microsft-03a.com.                 -->    microsóft.com.
xn--microsft-9fd.com.                 -->    microsȯft.com.
xn--microsof-eyb.com.                 -->    microsofť.com.
xn--microsof-hk0d.com.                -->    microsofṭ.com.
xn--microsot-ez9c.com.                -->    microsoḟt.com.
xn--microsot-x9b.com.                 -->    microsoƒt.com.
xn--micrsoft-y3a.com.                 -->    micrósoft.com.
NETFLIX

xn--etflix-vwa.com.                   -->        ñetflix.com.
www.xn--netflx-0va.com.               -->        www.netflìx.com.
ns1.xn--ntflix-iva.com.               -->    ns1.nêtflix.com.
ns2.xn--ntflix-iva.com.               -->    ns2.nêtflix.com.
ww1.xn--etflix-vwa.com.               -->    ww1.ñetflix.com.
ww35.xn--etflix-vwa.com.              -->    ww35.ñetflix.com.
ww8.xn--etflix-vwa.com.               -->    ww8.ñetflix.com.
www.xn--etflix-vwa.com.               -->    www.ñetflix.com.
www.xn--netflx-0va.com.               -->    www.netflìx.com.
www.xn--netflx-7va.com.               -->    www.netflíx.com.
www.xn--netflx-7va.eu.                -->    www.netflíx.eu.
www.xn--netflx-f9a.com.               -->    www.netflįx.com.
www.xn--netflx-mwa.com.               -->    www.netflïx.com.
www.xn--netflx-t9a.com.               -->    www.netflıx.com.
www.xn--netlix-5tb.com.               -->    www.netƒlix.com.
www.xn--ntflix-bva.com.               -->    www.nétflix.com.
www.xn--ntflix-i4a.com.               -->    www.nėtflix.com.
www.xn--ntflix-iva.com.               -->    www.nêtflix.com.
xn--etflix-vwa.com.                   -->    ñetflix.com.
xn--netflx-0va.com.                   -->    netflìx.com.
xn--netflx-7va.com.                   -->    netflíx.com.
xn--netflx-7va.eu.                    -->    netflíx.eu.
xn--netflx-f9a.com.                   -->    netflįx.com.
xn--netflx-mwa.com.                   -->    netflïx.com.
xn--netflx-t9a.com.                   -->    netflıx.com.
xn--netlix-5tb.com.                   -->    netƒlix.com.
xn--ntflix-bva.com.                   -->    nétflix.com.
xn--ntflix-i4a.com.                   -->    nėtflix.com.
xn--ntflix-iva.com.                   -->    nêtflix.com.
NEW YORK TIMES

xn--nytmes-5va.com.                   -->    nytímes.com.
xn--nytmes-dwa.com.                   -->    nytîmes.com.
xn--nytmes-yk8b.com.                  -->    nytỉmes.com.
xn--nytmes-yva.com.                   -->    nytìmes.com.
xn--ytimes-vwa.com.                   -->    ñytimes.com.
POLONIEX

xn--polonex-3ya.com.                  -->       polonìex.com.
xn--oloiex-yt7b2e.com.                -->   ṗoloṇiex.com.
xn--oloniex-c53c.com.                 -->   ṗoloniex.com.
xn--plonex-6va6c.com.                 -->   pôloníex.com.
xn--ploniex-l0a.com.                  -->   póloniex.com.
xn--polniex-ex4c.com.                 -->   polọniex.com.
xn--polniex-n0a.com.                  -->   polóniex.com.
xn--poloiex-s13c.com.                 -->   poloṇiex.com.
xn--polonex-cza.com.                  -->   poloníex.com.
xn--polonex-ffb.com.                  -->   polonįex.com.
xn--polonex-ieb.com.                  -->   polonīex.com.
xn--polonex-kza.com.                  -->   polonîex.com.
xn--polonex-sza.com.                  -->   polonïex.com.
xn--polonex-vfb.com.                  -->   polonıex.com.
xn--polonex-zw4c.com.                 -->   polonịex.com.
xn--polonix-ws4c.com.                 -->   poloniẹx.com.
xn--polonix-y8a.com.                  -->   poloniėx.com.
xn--pooniex-ojb.com.                  -->   połoniex.com.
TWITTER

www.xn--twittr-7ua.tv.                -->        www.twittèr.tv.
www.xn--twittr-mva.tv.                -->        www.twittêr.tv.
www.xn--twittr-tva.net.               -->        www.twittër.net.
www.xn--twtter-4va.net.               -->        www.twítter.net.
xn--twtter-cwa.com.                   -->        twîtter.com.
xn--twtter-q9a.net.                   -->        twıtter.net.
xn--twttr-7raz.com.                   -->        twìttèr.com.
xn--e1azaa2a9b5b.com.                 -->        тшiттeя.com.
WALMART

xn--wlmart-ita.com.                   -->        wàlmart.com.
xn--walmrt-lta.com.                   -->        walmàrt.com.
xn--wlmart-bua.com.                   -->        wälmart.com.
xn--wlmart-ita.com.                   -->        wàlmart.com.
xn--wlmart-pta.com.                   -->        wálmart.com.
WELLSFARGO

xn--wellsfarg-3mc.com.                -->        wellsfargơ.com.
xn--wellsfarg-e7a.com.                -->        wellsfargó.com.
xn--wellsfarg-tl7d.com.               -->        wellsfargọ.com.
xn--wellsfrgo-51a.com.                -->        wellsfárgo.com.
YAHOO

news.xn--yah-inaa.es.                 -->        news.yahóó.es.
news.xn--yaho-7qa.biz.                -->        news.yahöo.biz.
news.xn--yaho-7qa.info.               -->        news.yahöo.info.
news.xn--yaho-8qa.biz.                -->        news.yahoö.biz.
news.xn--yaho-nqa.com.                -->        news.yahòo.com.
news.xn--yaho-sqa.es.                 -->        news.yahóo.es.
news.xn--yaho-tqa.es.                 -->        news.yahoó.es.
news.xn--yaho-tqa.org.                -->        news.yahoó.org.
news.xn--yah-unaa.biz.                -->        news.yahöö.biz.
news.xn--yah-unaa.info.               -->        news.yahöö.info.
test.xn--yaho-7qa.biz.                -->        test.yahöo.biz.
test.xn--yaho-7qa.de.                 -->        test.yahöo.de.
test.xn--yaho-8qa.biz.                -->        test.yahoö.biz.
test.xn--yaho-8qa.info.               -->        test.yahoö.info.
test.xn--yaho-sqa.org.                -->        test.yahóo.org.
test.xn--yaho-tqa.com.                -->        test.yahoó.com.
test.xn--yaho-tqa.es.                 -->        test.yahoó.es.
test.xn--yaho-tqa.org.                -->        test.yahoó.org.
test.xn--yaho-yqa.com.                -->        test.yahoô.com.
test.xn--yah-unaa.info.               -->        test.yahöö.info.
wp.xn--yah-inaa.org.                  -->        wp.yahóó.org.
wp.xn--yaho-7qa.biz.                  -->        wp.yahöo.biz.
wp.xn--yaho-7qa.de.                   -->        wp.yahöo.de.
wp.xn--yaho-8qa.biz.                  -->        wp.yahoö.biz.
wp.xn--yaho-8qa.de.                   -->        wp.yahoö.de.
wp.xn--yaho-8qa.info.                 -->        wp.yahoö.info.
wp.xn--yaho-nqa.com.                  -->        wp.yahòo.com.
wp.xn--yaho-tqa.org.                  -->        wp.yahoó.org.
wp.xn--yaho-yqa.com.                  -->        wp.yahoô.com.
ww8.xn--yaho-yqa.com.                 -->        ww8.yahoô.com.
www.xn--yah-inaa.es.                  -->        www.yahóó.es.
www.xn--yah-inaa.org.                 -->        www.yahóó.org.
www.xn--yaho-7qa.biz.                 -->        www.yahöo.biz.
www.xn--yaho-7qa.de.                  -->        www.yahöo.de.
www.xn--yaho-7qa.info.                -->        www.yahöo.info.
www.xn--yaho-8qa.biz.                 -->        www.yahoö.biz.
www.xn--yaho-8qa.info.                -->        www.yahoö.info.
www.xn--yaho-nqa.com.                 -->        www.yahòo.com.
www.xn--yaho-ogb.com.                 -->        www.yahoơ.com.
www.xn--yaho-tqa.com.                 -->        www.yahoó.com.
www.xn--yaho-tqa.es.                  -->        www.yahoó.es.
www.xn--yaho-x0b.com.                 -->        www.yahȯo.com.
www.xn--yah-unaa.biz.                 -->        www.yahöö.biz.
www.xn--yah-unaa.info.                -->        www.yahöö.info.
www.xn--yaoo-674a.com.                -->        www.yaḣoo.com.
www.xn--yaoo-6xa.com.                 -->        www.yaħoo.com.
xn--ahoo-4ra.com.                     -->        ýahoo.com.
xn--yah-inaa.es.                      -->        yahóó.es.
xn--yaho-7qa.biz.                     -->        yahöo.biz.
xn--yaho-7qa.info.                    -->        yahöo.info.
xn--yaho-8qa.info.                    -->        yahoö.info.
xn--yaho-nqa.com.                     -->        yahòo.com.
xn--yaho-ogb.com.                     -->        yahoơ.com.
xn--yaho-sqa.org.                     -->        yahóo.org.
xn--yaho-tqa.es.                      -->        yahoó.es.
xn--yaho-tqa.org.                     -->        yahoó.org.
xn--yaho-x0b.com.                     -->        yahȯo.com.
xn--yaho-yqa.com.                     -->        yahoô.com.
xn--yah-unaa.biz.                     -->        yahöö.biz.
xn--yah-unaa.info.                    -->        yahöö.info.
xn--yhoo-0na.com.                     -->        yàhoo.com.
xn--yhoo-loa.info.                    -->        yähoo.info.
xn--yho-qla5g.info.                   -->        yähöo.info.
xn--yho-qla6g.info.                   -->        yähoö.info.
WIKIPEDIA

xn--wiipedia-nmb.com.                 -->    wiĸipedia.com.
xn--wikipdia-50a.cat.                 -->    wikipèdia.cat.
xn--wikipdia-f1a.com.                 -->    wikipédia.com.
xn--wikipdia-f1a.net.                 -->    wikipédia.net.
xn--wikipdia-f1a.org.                 -->    wikipédia.org.
xn--wikipeda-81a.com.                 -->    wikipedìa.com.
xn--wikipeda-i2a.org.                 -->    wikipedía.org.
xn--wikpedia-e2a.org.                 -->    wikípedia.org.
xn--wkipeda-rfbf.com.                 -->    wıkipedıa.com.
xn--wkipedia-c2a.org.                 -->    wíkipedia.org.
xn--wkipedia-u2a.com.                 -->    wïkipedia.com.
xn--wkpedia-7yab.org.                 -->    wíkípedia.org.
xn--wkpedia-rfbb.com.                 -->    wıkıpedia.com.
xn--wkpedia-zyab.com.                 -->    wìkìpedia.com.
YANDEX

www.xn--yande-vx1b.com.               -->        www.yandeẋ.com.
www.xn--yanex-vb1b.com.               -->        www.yanḋex.com.
www.xn--yndex-0jc.com.                -->        www.yɑndex.com.
xn--yande-uze.ru.ru.                  -->        yandex.ru.ru.
xn--yndex-3wa.com.                    -->        yąndex.com.
YOUTUBE

xn--yotube-jnb.com.                   -->        yoűtube.com.
xn--youtub-nva.com.                   -->        youtubê.com.
xn--youtue-7g7b.com.                  -->        youtuḇe.com.
ww11.xn--yotube-jya.com.              -->        ww11.yoùtube.com.
ww43.xn--yotube-4ya.com.              -->        ww43.yoütube.com.
www.xn--yotube-4ya.com.               -->        www.yoütube.com.
www.xn--youtue-7g7b.com.              -->        www.youtuḇe.com.
www.xn--youube-kmc.com.               -->        www.youțube.com.
xn--outube-9ya.com.                   -->        ýoutube.com.
www.xn--outube-9s8b.com.              -->        www.ỳoutube.com.
www.xn--outube-9ya.de.                -->        www.ýoutube.de.
MISC: LUXURY BRANDS

www.xn--gucc-tpa.com.                 -->        www.guccì.com.
xn--gucc-tpa.com.                     -->        guccì.com.
xn--herms-7ra.com.                    -->        hermès.com.
www.xn--herms-7ra.fr.                 -->        www.hermès.fr.
www.xn--lousvuitton-qcb.com.          -->        www.louísvuitton.com.
MISC: SOCIAL PLATFORMS

xn--nstagram-11a.com.                 -->        ìnstagram.com.
xn--nstagram-skb.com.                 -->        ınstagram.com.
www.xn--nstagram-skb.com.             -->        www.ınstagram.com.
xn--istagram-7pb.com.                 -->        iņstagram.com.
www.xn--imgu-t4a.com.                 -->        www.imguŕ.com.
xn--imgr-sra.com.                     -->        imgúr.com.
xn--whatspp-lwa.com.                  -->        whatsápp.com.
xn--whtspp-cxcc.com.                  -->        whɑtsɑpp.com.
legendary
Activity: 2268
Merit: 18711
Why would the value be set on False by default if this is a well known security issue?
Because Firefox serves a global audience, and not everyone speaks English. There are plenty of sites out there in various languages which use characters such as é, ö, ß, ü and so forth. To change all those sites to something like xn--abc123de would not only put those users at risk of attack (compare xn--abc123de and xn--abc123be, for example) but would also be massively impractical for anyone who uses these characters.
legendary
Activity: 2730
Merit: 7065
Strange that Firefox requires a manual override; most people will not perform it due to lack of awareness.
You are right, it really is strange. Why would the value be set on False by default if this is a well known security issue?
Does anyone know if there are any advantages of keeping this option on False that would cause Firefox not to set it at True by default? 
legendary
Activity: 2576
Merit: 1655
Pages:
Jump to: