Read your address bar carefully

Internet addresses are no longer stuck with ASCII and English. If you're Greek, you can have a Greek domain name; if you're Japanese you can have a Japanese domain name. To make international characters work on the existing ASCII system, you encode the address in Punycode:
As an example of how IDNA works, suppose the domain to be encoded is Bü (“Bücher” is German for “books”, and .ch is the country domain for Switzerland). This has two labels, Bücher and ch. The second label is pure ASCII, and so is left unchanged. The first label is processed by Nameprep to give bücher, and then by Punycode to give bcher-kva, and then has xn-- prepended to give xn--bcher-kva. The final domain suitable for use with the DNS is therefore

To avoid spoofing addresses, browsers render the ugly Punycode version whenever there's an ambiguous character. This is necessary to differentiate pа (where the first a is replaced by a Cyrillic а) from


I registered, the Punycoded form of com丿 The fourth character isn't a slash /, but the curlier Japanese character 丿. On current versions of Safari, this character lends itself to fun domain spoofing.

This probably isn't good enough to fool a seasoned software developer. But could it fool your mom?

PS: I've already reported the bug to Apple. If your app displays URLs to users, this is something you may need to consider as well.