Google has been caught hosting a malicious ad so convincing that there’s a decent chance it has managed to trick some of the more security-savvy users who encountered it.
Looking at the ad, which masquerades as a pitch for the open-source password manager Keepass, there’s no way to know that it’s fake. It’s on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to
ķeepass[.]info, which when viewed in an address bar appears to be the genuine Keepass site.
If you look at the image in the Ars article, the URL in the advertisement in Google Search uses a normal k instead of the ķ with an accent on the bottom.
I am already aware of IDN homograph attacks, so I always enable network.IDN_show_punycode in about:config so that Firefox always displays the URL in ASCII rather than Unicode. The implementation leaves a lot to be desired, but it works:
Obviously, you can’t restrict the Omnibar to only ASCII characters as it also doubles as a search bar for most people (an aspect I hate about modern browsers), and some people type with characters that only exist in Unicode to search, like: 私の推しは悪役令嬢のアニメ感想. But it at least tells you what the actual URL is with the punycode displayed below the bar.
Nonetheless, this means very little if the search engine you’re using doesn’t display the punycode in the results. We know Google doesn’t display the punycode, but what does Mojeek do? I don’t see any reason why search engines shouldn’t just display the punycode at all times.
Also, I don’t know of a way to force showing punycodes on a Chromium-based browser, but as I use them occasionally, could anyone help me with enabling a flag for that?