I actually saw this a couple of days ago but didn’t get round to blogging it but it is now possible to spoof urls in non-ie browsers by using special encoding of characters. A lot of us know that &20 is actually a space, but there are a lot of numbers higher up in the thousands that also look like characters and this is partly to do with the problem. The problem is something called idn.
The link i posted above is reporting on the original website that discovered the problem
Update URL fixed and warning removed. (thanks for the comment Jeff)
Comments
IDN is Internationalised Domain Names. They allow you to register domain names with ‘special’ characters, like ä or various chinese, cyrillic and japanese (for example) symbols. Unfortunately it also appears that they can use entities of normal characters which is where the spoofing comes about.
The URL from the “hacker” site is perfectly safe to visit. In the sense in which they use “hacker”, it’s more akin to someone who likes to tinker with things, poking and prodding to see how things work or how they respond to changes. They’re actually security professionals — see the main page of their site for more details.
In any case there’s not much on their site except a brief test example and a brief technical description of how the problem works.
By the way: the URL you’ve used isn’t their URL. The real URL is http://www.shmoo.com/idn/ (note the absence of a ‘c’).