Interestingly I now can see the slight "dot" below the "n" in bitmaiṇ.com . This dot is very small and looks almost like piece of dust on the screen. 

So visually the bad domain is BARELY detectable. Chrome needs a better way to notify users of this or at least give options here. The dot is too small to detect by many people with good eyesight and is too easy to miss.

Ugh, I actually got caught by this today and lost some BTC. Stupid for me not further validating things, but I got caught by a Facebook ad that looked legit, and excited that they had released the S9 so jumped at it. Didn't pause to check the SSL cert (which was CloudFlare), and the domain NEVER displayed as punycode, so this cost me $2k. My own stupidity, but really frustrated that the IDN punycode protection didn't kick in. 

I have a 4k display and only after closer inspection did I notice the dot under the n. Brutal. 

I agree this is an exploit used by the individuals to make the website seem legitimate. Unicode characters may not be used in URI's as mentioned in RFC3986. As chrome has addressed this issue in  Issue 683314  this should be reviews immediately to avoid future scams. As I have lost $10,000 due to this bug. I know that it is good practice to check the certificate of the website but when was the last time you checked the Common Name of a certificate when the URL is correct and using HTTPS? Which average individual knows how to view and check certificates?

Is there anything I can do for my loss due to this bug?
Thank you Devs
arsen@d2code.com

Thanks for filing the issue!

As this issue is related to Unicode, requesting @jshin for a confirmation.
@jshin: Could you please confirm whether this is related/similar to https://bugs.chromium.org/p/chromium/issues/detail?id=683314.

It is similar, but in the older  Issue 683314  addresses only perfect spoof characters. I believe that the unicode character ( ņ and n ) are quite similar. It is as display resolution, brightness and user's vision may affect the ability to notice such a small detail. This may also seem like a speck of dust on certain displays.

Thanks,
Arsen Hovhanissian

As the issue is related to Unicode and unable to access the URL's provided in Comment#0, hence adding label as TE-NeedsTriageHelp for further investigation.

jshin: Can you comment on whether an approach similar to your fix for  https://crbug.com/683314  would be appropriate here?

The malicious website is no longer hosted. I have a suggestion for a fix on this type of scenario.

Why  Issue 683314  Does not solve this problem:
Although the Alexa top 1000 are important to secure, this fix only solves one part of the problem.


Suggestion for fix:

The solution for  Issue 683314  should still remain in place for the Alexa top 1000 sites. As my proposed solution will cover an extensive proportion of domains.

I don't think that websites using unicode should be penalized by a warning. Although websites using unicode in different ranges should. If someone can provide me with a valid use case of using a Cyrillic character in an Latin/ascii url please specify. 

After putting quite some thought on what would be a FAIR, SECURE and SIMPLE solution. I came up with the following. Display warning when there is a mix of character in the URL bar. Therefore if special characters are used they must be of the same unicode range.

See https://unicode-table.com for more grouping/range information.

Please let me know your thoughts on my proposed solution for this issue.

Thank you,
Arsen Hovhanissian

#9 thanks for your proposal. Unfortunately, if I'm understanding correctly, we've already implemented this and it won't help in this case.

> Although websites using unicode in different ranges should.

Not clear what you mean by "different ranges", but I'm assuming you mean major script groups like Latin and Cyrillic. We already block URLs featuring characters from different script groups.

For example, if you had "bitmaiη.com" -- all Latin but with a Greek η (Eta), that would be blocked on the grounds that it's a mixed script.

However, bitmaiṇ.com is unfortunately all Latin. The ṇ is U+1E47 LATIN SMALL LETTER N WITH DOT BELOW, so the "block mixed scripts" approach doesn't work here. Unfortunately there would be no way to block such a domain unless we simply blacklisted that character.

Which isn't necessarily a bad idea. @jshin, is there any reason to allow Latin-letter-with-built-in-mark type characters in domains? Even the more common ones like 'é' (U+00E9 LATIN SMALL LETTER E WITH ACUTE) are surely best approximated in a domain name without the accent. (Note that we do not allow combining marks in domains, but we do allow code points that are basically just a letter with a built-in modifier.) Perhaps the ship has sailed on this, but it would be interesting to see what effect it would have if we blacklisted all such characters.

jshin: Did you mean to make this Assigned? Available issues are supposed to be ownerless.

Ah, I see that tommycli made jshin the owner. I'll assume he meant to assign it, then.

> it would be interesting to see what effect it would have if we blacklisted all such characters.

Well, Germans, Swede, Turkish, Vietnamese etc wouldn't like us :-) 

Anyway, it's  bug 770709 .