This homograph problem is not new and has been been worked on for well over a decade. Type "homograph attack" into your favorite search engine. But briefly: 1. You can type x.com and DNS (and other layers) can indeed redirect you to the cyrillic x.com or anywhere they like. The primary defense you have against this are security layers such as SSL (https) which can, to some cryptographic certainty, verify who you finally connected to. Of course they are perfectly capable of responding, with great confidence, that you indeed have arrived at a site owned by some bad actor. SSL certificates are cheap and even the most expensive only certify that you are indeed "Mr Bad Actor" and perhaps have managed to obtain some corporate credentials such as a DUN number. Not a very exclusive club. And you'd have to be motivated to check that it's who you intended to connect to, none of this can read your mind. Maybe you do business with Mr Bad Actor, someone must. 2. When I said "attack" is in the eye of the beholder I was quite serious. For example why SHOULDN'T cyrillic X.com exist? Because you or some subset of the internet find it potentially confusing? We abandoned the notion that the internet is ASCII-only or even ISO/IEC 8859-1 only (aka Latin-1, includes Western European characters such as umlauted-u) many years ago. https://en.wikipedia.org/wiki/ISO/IEC_8859-1 One can assert "but I (or some other billions) must never be confused!" but as they say if wishes were horses...or perhaps put better this genie isn't likely going back in the bottle. The other choice is to somehow enforce against malicious uses rather than potentially malicious uses which is another huge topic covering everything from "define malicious!" to "how, exactly, would you enforce this?" 3. A lot of this reduces to what's often called "reputational services": How do I verify (preferably with little effort) the reputation of some resource I am accessing? Gratuitous anecdote: In 2003 I was one of two keynote speakers at the MIT Spam Conference. The other speaker's talk was about DKIM, a crpytographically based way to verify that an email has come from the signing party. I rudely (perhaps) asked at the end how do I know I have only verified they are indeed Mr Bad Actor? And the speaker said: Reputational services! They are being developed and will augment this protocol to solve exactly that problem. 2003. Do you see any reputational services? I don't. Or not beyond some singular efforts where a search engine tries to flag a link as potentially malicious. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*