I predicted this the moment I heard about unicode domains, and now someone has gone and proved me right. Have a look at these links in anything but IE. Yes, this exploit doesn’t work in IE because it’s so out of date that it doesn’t keep up with the standards (see definition of irony).

Yes, it looks like Paypal. Yes, that SSL certificate looks sort of valid (until you inspect it closely). No, that’s not Paypal. No, that isn’t an “a” in www.paypal.com. It’s a а, which just happens to look exactly like the character “a”.

For now, those that are worried can diasable network.enableIDN in Firefox/Mozilla, but I can see far too many people getting caught in phishing attacks with this new trick.

See, if someone had just listened to me when I started whining about this months ago, we could all have thought up a neat trick to save people from having their bank accounts emptied and their pet dogs kidnapped. But does anyone ever listen to me? No-o-o — of course not. In fact… hey… where are you goi… come b…

Oh, bah humbug.