The browser vendors disagree about what the rule should be, to avoid homograph attacks, but it's reasonable to say that if you suffer a Unicode homograph attack in your browser, the first people to blame are at the browser vendor.
Some feel that the correct approach is to whitelist TLDs that have a responsible homograph rule (so, not .com) and show punycode in all other TLDs. Others want to detect whether a name seems "confusing" by some heuristic and show the punycode instead only in that case.
Interesting, thanks. Is it difficult to just try to DNS-query for all possible confusing homographs, and display punycode unless all responses are negative? Not sure if that would overload DNS servers too much (maybe limit it to 3 characters and display punicode otherwise to avoid exponential blowup?), but it should be very cacheable.
Firefox users can visit about:config and manually set the value "network.IDN_show_punycode" to True, to fix this. Tested and working, and I'm not sure why this isn't already the default for users whose language setting is English.
