One more attack vector to be thinking about!
From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041). This is known as a homograph attack.
Chrome 59 will protect you from these phishing attempts by converting the maliciously-similar name to the Punycode version, thus making you aware of something amiss.
Firefox users can limit their exposure by going to
about:config and setting
true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains. Thanks to /u/MARKZILLA on reddit for this solution.
Thus, the attack form of apple.com will show as https://www.xn--80ak6aa92e.com
On Twitter @Xudong_Zheng says a simple way to limit the risk from bugs such as this is to always use a password manager, which can identify that the similar letters are not the same.