"Shmoocon ended today. And just to prove The Shmoo Group wasn't sitting on their asses for the entire time while planning the con - A new exploit was demo'd by EricJ that left all jaws our on the floor. Want to own ANY domain? Want a trusted SSL cert for it? Check it out here. We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers. Phishing attacks of doom coming soon."

http://www.shmoo.com/idn/homograph.txt

So for once the crappiness of MIE saved it from one little hole (and i note FF is the only affected browser that has a fix now)

holy fuck that's bad

this opens up .. everything :|

The question is, do browsers send their cookies to that domain?

The fundamental thing that is trusted by a user in an SSL session is the URL displayed by the browser, and the absence of popups regarding the 'padlock icon'

Many. many users would be caught by a spoofed email sent to them from their online bank asking them to update their preferences, and pointing them to a domain and site that looks exactly like their bank. Very easy to capture login information this way

Originally posted by radass
Many. many users would be caught by a spoofed email sent to them from their online bank

I reckon people need to pass a simple fraud prevention test before they can start using Netbank and the likes. "We do not send you emails."