Read on golem: New Phishing Attack Possible in Many Web Browsers. Great. Once again, a sloppily implemented solution and a sloppy standard. The whole umlaut domain stuff is nonsense anyway, and you have to wonder why it was implemented in the first place - the mere fact that this garbage only works for websites and IDNs can't be meaningfully used for anything else should have made anyone realize what a ridiculous idea it is. And now it's also a phishing hole.