rina's space

february 19, 2025 @ 02:23 am | est. reading time: 3 - 4 mins | word count 663

the problems with cyrillic domain names

there is a little known fact. domain named don't always need to be in latin script. this could cause problems, no one likely thought about. so after killing off my previous website, i've temporarily setup this website under hoodie.lol. with a plan to eventually get a domain name with my name. as a speaker of a slavic language, out of boredom, i've looked into cyrillic idns. with my name being rina, i've chosen to look into what i can get under рина. i've found out рина.орг was available. so i decided to waste 10 euros and get it. i like this domain name. but this is where potential confusions and problems begin. .орг is just the cyrillic for .org, a very popular domain name extension, and therefore, rina.org (in latin script) has been obviously taken. rina.org is owned by rina s.p.a., an actual company/organization. so now we essentially have two different websites, with basically the same domain name, just in different scripts (alphabets). which could cause confusion for both sides.
now, imagine someone wanting to visit the company's website but mistypes the domain name, or their device for some reason prioritizes cyrillic over latin script. instead of landing on an engineering firm's website, they'd end up on mine. not that there's anything remotely interesting on my website, but it's weird. like, you're expecting serious business stuff, and instead you land on some random person's half-baked project. could be worse tho. what if it was something malicious? phishing, scams, impersonation?whole lotta potential for problems here. i, obviously am not (miss)using my domain for malicious stuff, but it is a possibility.
it could be even worse. its both funny and sad at the same time, and also unsettling. what is unsettling? it's is how visually similar some letters are. like, "р" (r) in cyrillic looks exactly like "p" (pee, [/p/]) in latin. some letters are nearly identical. for an example а, a: here, one a is cyrillic, one is latin. similarly with о, o, again nearly identical! i bet you can't say which "o" was latin, and which is cyrillic! futhermore, cyrillic u (у) looks identical to the latin letter y. as you can see, theres a bunch of shit a bad actor could abuse. the main issue is here that most "normal" tlds also support non-latin character to some degree. so if you look it at the surface you might not even notice a difference. there's an entire category of domain abuse called homograph attacks, where bad actors register domains that look like trusted ones but actually aren't. a security researcher registered a "fake" аpple.com, domain name to prove how this could be exploited. yes, that's a cryllic а!
and it's not just about confusion: there are real world consequences. actual people could get screwed over because companies don't bother securing 'similar enough' domains. but if they're not targetting a country that uses cyrillic, this is an easy oversight. thankfully, by now, most browsers will "break the illusion" if someone used mixed script. so, for an example that аpple.com will actually be displayed as xn--pple-43d.com, but domains that use one script coherantly won't. so your browser will display рина.орг, not xn--80appk.xn--c1avg. but this only works in browsers. someone could still send https://аpple.com/ as a link in an email, and most people woulnd't be able to tell the difference. hell, i can read cyrillic at a native level, i didn't learn it later in life, and even i cannot spot the damn difference. companies love to act like they're all about security, but they'll spend millions on nonsense while leaving obvious loopholes wide open. meanwhile, some random person clicks the wrong link, thinking they're logging into their account, and suddenly all their info is stolen.
the whole thing just proves how weird and messy the internet can be sometimes. something as simple as a different alphabet can set the shit loose, and even lead to some unintended consequences. i don't say non-lating domains shouldn't exist, but they sure do can cause headache.

⟵ back to blog