https://www.xn--80ak6aa92e.com/
regarding homographic or look alike character attacks. As an American only fluent in English I'm enormously more likely to encounter malicious content than content that is useful to me on internationalized domain names.
To make this less likely you can set
network.IDN_show_punycode true
in about:config for firefox or in your profile directory you can create a user.js file and add this line.
user_pref("network.IDN_show_punycode", true)
https://cdn.pbrd.co/images/HxdrkES.png
In comparison Firefox (for better or worse) consistently decodes it until you reach the certificate details window (which is like 4 levels deep in clicking)
https://cdn.pbrd.co/images/HxdsqId.png
But Edge (and IE apparently) have another trick in their sleeve, something that I really wish Firefox would also adapt in some way: small icon that shows that it is IDN:
https://cdn.pbrd.co/images/HxdtJGD.png
Sure, it is pretty insignificant and kinda difficult to notice, so probably won't help much against scammers. But I think it is still pretty neat.
https://news.ycombinator.com/item?id=14130241
Another "fun" thing about IDN is that there are two incompatible versions:
Most of the problems with the full unicode set can be sidestepped by a combination of UAX #31[1], NFKC[2], ignoring ligatures and digraphs[3], and following UTR #39[4].
Cyrillic apple.com is one of the few cases where it is still problematic and extra UI feedback would be needed.
[1]: http://unicode.org/reports/tr31/
[2]: http://unicode.org/reports/tr15/
Being careful to watch for changes to unicode and new tlds.
Maybe someone can write an npm module to figure out how many hundreds of domains you should get to cover the intersection of all possible tlds, look alikes, and typos.
> Please be aware that GNU libidn2 is the successor of GNU libidn. It comes with IDNA 2008 and TR46 implementation and also provides a compatibility layer for GNU libidn.
http://man7.org/linux/man-pages/man3/getaddrinfo.3.html (search for "Internationalized Domain Names")
