DEV Community

Cover image for One of these two apple.com domains is fake
Pieter D
Pieter D

Posted on • Updated on

One of these two apple.com domains is fake

Five years ago, a security researcher registered a fake domain that is indistinguishable from apple.com. Chrome released a patch so people would be able to tell the difference. After an intense discussion and careful consideration, Firefox decided not to fix it. That's why the current version of Firefox still displays both domain as identical. What happened?

If you are reading this - and I have a hunch that you are - you know the basic Latin alphabet. What you might not think about every day is that lots of different alphabets are used across the world. Even within the Latin script, there are different alphabet flavors containing characters like ü, à, î, ł or ñ. Similarly, there is the Cyrillic script. It also has a lot of regional variations.

Latin and Cyrillic have some overlap. In some fonts, the lowercase Latin A happens to look exactly like the lowercase Cyrillic A. Same with the lowercase Latin P and the lowercase Cyrillic R. That's how I can write apple.com and аррӏе.com with different characters, and have them look identical in some fonts.

Analysis of the characters in the Cyrillic apple.com domain name

To help people recognize the difference, Chrome wrote a patch. Since then, domain names under Latin-character TLDs that consist only of Cyrillic lookalike characters now look different than the Latin domain. It now renders the fake apple.com domain name as xn--80ak6aa92e.com.

Firefox took a stance against the fix. Their reasoning is explained in the video, and they do have a point. The gist of it is that they want to treat Latin and Cyrillic as equals, and automatically treating either the Latin or Cyrillic variant as suspicious would go against that. They also argue that it's the .com registry's job to prevent the registration of lookalike domain names, which the registry isn't doing. Plus, Firefox still has Phishing Protection as a final line of defense.

So that's why five years later, you can still access the fake domain name in Firefox. Meanwhile, the fake domain hasn't been claimed by Apple, nor has it been taken offline by its domain registrar. Presumably, it's because it isn't actively trying to scam anyone. But it serves as a reminder that we have a lot of alphabets on this planet and that sometimes, this causes sticky situations.

Discussion (1)

Collapse
ozodimgba profile image
Ozodimgba

I believe Firefox did the right thing