this post was submitted on 22 Sep 2025
103 points (96.4% liked)

Technology

75472 readers
2575 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
103
Thoughts on Cloudflare (xn--gckvb8fzb.com)
submitted 3 days ago by Pro@programming.dev to c/technology@lemmy.world
24 comments fedilink hide all child comments
 

cross-posted from: https://programming.dev/post/37897811

you are viewing a single comment's thread
view the rest of the comments
[–] Auth@lemmy.world 47 points 3 days ago* (last edited 3 days ago) (2 children)

xn--gckvb8fzb

マリウス.com

Very interesting, today I learnt something cool and new ty

[–] sem@lemmy.blahaj.zone 15 points 2 days ago (1 children)

I've heard it's a security feature not ro render unicode in the url because otherwise people could use Unicode lookalike characters to spoof a domain.

[–] darklamer@lemmy.dbzer0.com 3 points 2 days ago (2 children)

The problem with that line of reasoning is that it ruins what's arguably the most important feature of DNS: providing human-readable names.

Using lookalike characters to deceive people has been a problem since long before anyone first got the idea to register paypa1.com but no-one ever seriously suggested abandoning human-readable names in order to avoid that problem.

[–] dreadbeef@lemmy.dbzer0.com 2 points 1 day ago (1 children)

The term "Human" does not include people who primarily read non latin-based languages silly

[–] darklamer@lemmy.dbzer0.com 3 points 1 day ago (1 children)

Note that everything outside of ASCII gets encoded in Punycode, so this also includes most languages written in the Latin script.

[–] dreadbeef@lemmy.dbzer0.com 1 points 1 day ago

Shit, I forgot that Human now just means the native English-speaking world.

[–] sem@lemmy.blahaj.zone 1 points 2 days ago (1 children)

Ideally they should show both side by side.

[–] darklamer@lemmy.dbzer0.com 2 points 1 day ago (1 children)

I'm unsure how that'd be useful to any normal user. Let's say the UI shows something like this:

A.com
Α.com (xn--mxa.com)
А.com (xn--80a.com)

What's the user supposed to do with that information, how would showing the Punycode here help any normal user determine which one of these domains is the right one that they want to visit?

Helping users identify the right domain name and avoid being deceived is surely a very important thing to do, I just find it hard to see how having users read Punycode would ever be a practically useful way to achieve that.

[–] sem@lemmy.blahaj.zone 1 points 1 day ago* (last edited 1 day ago) (1 children)

Let's say that I go to google.com. The UI shows https://google.com/ . No punycode because it is plain ascii. Everything is as expected.

Now let's say I click on a link for googӏe.com. The ui shows https://xn--googe-hof.com/ (googӏe.com) I'd be like, holy shit that is a shady URL!

That's how I imagine it helping, although I am not a UI expert. There could be a better way. But that googӏe.com scares me -- I can't visually tell that it is not a normal lowercase "l".

P.S. for the URL in question, https://xn--gckvb8fzb.com/ (マリウス.com) I imagine that if I went to it frequently, I might begin to recognize the punycode, sorta like how people recognize rickroll URLs.

[–] darklamer@lemmy.dbzer0.com 1 points 1 day ago* (last edited 1 day ago) (1 children)

But how would an average user know that xn--googe-hof.com isn't the right one?

[–] sem@lemmy.blahaj.zone 1 points 15 hours ago (1 children)

Because it does not match google.com

[–] darklamer@lemmy.dbzer0.com 1 points 13 hours ago (1 children)

But that line of reasoning presupposes both that the right name is in ASCII and that the user knows this. As soon as either one of those isn't true, showing the Punycode no longer is of any help in determining which one is the right one.

[–] sem@lemmy.blahaj.zone 1 points 10 hours ago (1 children)

For most security - centric websites, the right name is ASCII only.

For any that aren't, people would have the opportunity to become familiar with the correct fingerprint over time and have a chance to notice a difference.

I'm curious to hear if you think there is a better way. What I'm saying is unlikely to ever be implemented in a browser and I'm not trying to convince you or anything, just say why I personally would appreciate it.

[–] darklamer@lemmy.dbzer0.com 2 points 9 hours ago (1 children)

For most security - centric websites, the right name is ASCII only.

Are you perhaps by any chance American?

I’m curious to hear if you think there is a better way.

I think a much better solution would be to shield end users from this problem entirely, by having all registries refuse to register such confusable names, as recommended by Unicode:

https://www.unicode.org/reports/tr46/tr46-34.html#Registries

[–] sem@lemmy.blahaj.zone 1 points 6 hours ago

Yep. Do you all have important URLs with Unicode characters?

I think it would be great if registries screened registrations for confusable names. Even if they did though, I wouldn't expect them to succeed 100%

[–] cmgvd3lw@discuss.tchncs.de 3 points 2 days ago

NGL that is a beautiful website