This Wordfence article is a great demonstration of why using a password manager is so important.
The message the author is pushing is “these browsers suffer because it’s easy to phish them” when the reality is that the specific “vulnerability” is actually the way the Internet is designed. The weakest link for all phishing is always PEBCAK – aka, “Problem Exists Between Chair and Keyboard”. Phishing is not your typical security problem, because it’s not the computer the attacker needs to convince, it’s the person.
Don’t get me wrong, I’m not saying that there should not be some visual and functional indication for IDN domains, but the user is still going to be the weakest link. Any indicator would go unnoticed or misunderstood by most people anyway.
A better solution is to use a password manager such as RoboForm. RoboForm bypasses this issue by preventing you from authentication to the forged domains. RoboForm (and most other password managers) authenticate only to trusted domains, so even though the IDN domain may visually appear to be the same, it will not be treated as the real domain within the password manager.
See how RoboForm addresses this problem. In the first image you can see the emboldened stored credentials which will only appear if the domain is a match for the stored login.
Here we have the punycode IDN variation, which, since it is actually a different domain, has no match in RoboForm.
While the specific issue at hand is phishing for ways to trick the user into authenticating to a domain that appears to be the real thing using a specific cosmetic effect, there are many other ways that domains can be made to look like the real thing, and each of them still works well after this particular issue is addressed.
Using a password manager is the best and easiest way to ensure that you’re visiting the real site. It also provides strong authentication and far better passwords than you can create on your own.
Okay, now go get RoboForm.
That’s all for now folks. Keep it clean out there. 😉