Firefox Takes a Step to Stop Punycode Phishing Attacks

    Sometimes it seems like protecting online security gets more difficult by the day. One of the first protective measures that internet users learn is to look for “https” in a website’s address. Depending on the browser that you use, this type of address will show you the word “secure” or a green padlock.

    While this advice helps a lot of people avoid online scams, developers have known for a long time that it doesn’t eliminate the problem. Firefox has taken a step towards solving that problem with a new feature that will alert you when links use Punycode.

    The Basics of Punycode and Why the Internet Needs It

    You don’t have to get too technical to understand the basics of Punycode. To keep it as simple as possible, Punycode is a way to write website addresses that contain special characters. If you use English as your primary language, then you probably don’t encounter special characters often. Many people who speak one of the world’s other 7,101 languages, however, rely on letters with umlauts, tildes, graves, and other marks.

    The internet doesn’t always play well with languages other than English. The underlying technology that supports the internet, after all, was created by Americans who spoke English. To get around this problem, developers created Punycode as a way to create websites with names that don’t follow the standards of English.

    Punycode Can Trick Nearly Any Web Browser

    Punycode works well, but it creates a huge security gap that makes internet users vulnerable to phishing attacks. When making a Punycode domain name, you start the address with “xn.” A mess of letters and numbers usually follows the “xn.” When you click on a link, though, you never see the Punycode address. This gives scammers an opportunity to make fake sites look legitimate.

    Wordfence recently made a useful example of how Punycode phishing scams work. Wordfence used Punycode to create a domain name that looks like it takes users to Instead, it takes you to a fraudulent site that clearly has “” has its domain name. Visit Wordfence so you can see easily this scam could trick you.

    The First Step Toward Stopping Punycode Phishing

    Firefox has taken the first step to stopping Punycode phishing scams. It’s not a user-friendly option, but it works. To activate the feature, open Firefox and type “about:config” into the address bar. You will get a long list of configuration options. Search for “punycode” to find a parameter called network.IDN_show_punycode. Double-clicking the word “false” will change it to “true” and turn on the new feature.

    From now on, when you use Firefox to visit a site that uses Punycode, you will see the Punycode name in the address box.

    Firefox’s addition to its browser won’t appeal to casual internet users who don’t like tinkering under the hood. Hopefully, the company will soon release an easier way to activate the feature. Even more hopefully, other browsers will follow Firefox’s lead by adding displaying Punycode addresses without any hassle.

    Image via Flickr by pj_vanf

    Previous articleIs Our Tech Future Headed in a Dystopian Direction?
    Matthew Thompson is a freelance writer in Louisville, KY. He enjoys writing about technology, politics, and dogs. Dogs should really be at the front of that list. Follow him @mallenthompson.