In December 2001, a paper was released describing Homograph attacks. This new attack allows an attacker/phisher to spoof the domain/URLs of businesses. At the time this paper was written, no browsers had implemented Unicode/UTF8 domain name resolution.See also an article at Boing Boing describing the issue. The Shmoo Group provides proof-of-concept examples where they have spoofed paypal.com. The irony is that this is the first security alert I've ever seen that effects every browser except Microsoft IE.
Fast forward to today: Verisign has championed International Domain Names (IDN). RACES has been replaced with PUNYCODE. Every recent gecko/khtml based browser implements IDN (which is just about every browser except for IE; plug-in are available).
...
Vulnerable browsers include (but are not limited to):
Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5
If you're using a mozilla-based browser (Firefox, e.g.), there are instructions on how to implement a workaround by setting 'network.enableIDN' to false, but there are also reports that the workaround doesn't fix the issue. Making the change worked for me; your mileage may vary. Read the advisory by the Schmoo Group (including footnotes) and the article at Boing Boing for more information.
