IDN homograph attack should not be an issue in your address bar - unicode letter trickery e.g. pаypal.com with a cyrillic а should be shown as xn--pypal-4ve.com ; it's something that can be solved and is being solved on the UI level.
IDN is not that simple. Sometimes you want punycode (flüge.de) sometimes you don't (xn--pypal-4ve.com).
It's not like you can just disable punycode for all sites, because now you just create a new phishing risk for those sites that used it (xn--pypal-something and xn-flge-something look close enough)
The browser vendors disagree about what the rule should be, to avoid homograph attacks, but it's reasonable to say that if you suffer a Unicode homograph attack in your browser, the first people to blame are at the browser vendor.
Some feel that the correct approach is to whitelist TLDs that have a responsible homograph rule (so, not .com) and show punycode in all other TLDs. Others want to detect whether a name seems "confusing" by some heuristic and show the punycode instead only in that case.
Interesting, thanks. Is it difficult to just try to DNS-query for all possible confusing homographs, and display punycode unless all responses are negative? Not sure if that would overload DNS servers too much (maybe limit it to 3 characters and display punicode otherwise to avoid exponential blowup?), but it should be very cacheable.
Firefox users can visit about:config and manually set the value "network.IDN_show_punycode" to True, to fix this. Tested and working, and I'm not sure why this isn't already the default for users whose language setting is English.
