Security: How does Mojeek handle Punycodes in URLs?

Google has been caught hosting a malicious ad so convincing that there’s a decent chance it has managed to trick some of the more security-savvy users who encountered it.

Looking at the ad, which masquerades as a pitch for the open-source password manager Keepass, there’s no way to know that it’s fake. It’s on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to ķeepass[.]info, which when viewed in an address bar appears to be the genuine Keepass site.

If you look at the image in the Ars article, the URL in the advertisement in Google Search uses a normal k instead of the ķ with an accent on the bottom.

I am already aware of IDN homograph attacks, so I always enable network.IDN_show_punycode in about:config so that Firefox always displays the URL in ASCII rather than Unicode. The implementation leaves a lot to be desired, but it works:

Obviously, you can’t restrict the Omnibar to only ASCII characters as it also doubles as a search bar for most people (an aspect I hate about modern browsers), and some people type with characters that only exist in Unicode to search, like: 私の推しは悪役令嬢のアニメ感想. But it at least tells you what the actual URL is with the punycode displayed below the bar.

Nonetheless, this means very little if the search engine you’re using doesn’t display the punycode in the results. We know Google doesn’t display the punycode, but what does Mojeek do? I don’t see any reason why search engines shouldn’t just display the punycode at all times.

Also, I don’t know of a way to force showing punycodes on a Chromium-based browser, but as I use them occasionally, could anyone help me with enabling a flag for that?


Our approach is not to index them. We’ve discussed this a few times before but for now we’re focussing on the large quantity of non-punycode URLs.

That’s not to say that we’d never look at this area, but this is the first time a question has been asked about it, so it’s not a priority at this time.


That sounds eminently reasonable. I searched for the fake keepass domain and couldn’t find it, and now I know why.

It’s reassuring to know I don’t need to worry about this at all. Keep up the great work!