There was an example where еріс.com (whose domain is in the Ukrainian Cyrillic alphabet, and I think would be pronounced like "eris dot com") once got a security certificate that would be visually indistinguishable from one for epic.com. This was, thankfully, intended by its creator to demonstrate the vulnerability.
The certificate has expired now, and additionally, browsers now show it as https://www.xn--e1awd7f.com/ . Even HN rewrites it if I type it as a full URL in Unicode, actually.
The certificate has expired now, and additionally, browsers now show it as https://www.xn--e1awd7f.com/ . Even HN rewrites it if I type it as a full URL in Unicode, actually.