Spoofing URLs with Unicode

Over at SlashDot there’s a discussion about an article in Scientific American describing

how a pair of students at the Technion-Israel Institute of Technology registered “microsoft.com” with Verisign, using the Russian Cyrillic letters “c” and “o”. Even though it is a completely different domain, the two display identically (the article uses the term ‘homograph’).

Because the letters look very similar, a user will blithely click on a “spoofed” URL, and instead of going to the “safe” site they expect, experience any number of Nasty Things.