dsandler.org/wp

[2:39] <dsandler> So, I don’t know how to respond to this: http://www.shmoo.com/idn/

[2:40] <dsandler> (the hack: using the Cyrillic ‘a’, which looks exactly like the Roman ‘a’, as the second letter in “paypal.com”)

[2:40] <dsandler> phished!

[2:41] <dsandler> So, what’s the answer here?  Eliminate PunyCode encoding of so-called “international domain names”?  Seems draconian.  What you’d really want to do is come up with some way to trust a website above and beyond the orthographic appearance of its domain.