Here's a tester for the new punycode phishing attack: https://www.xn--80ak6aa92e.com/
If your browser takes you to an SSL-secured site that it shows you as https://www.apple.com/
then your browser has problems.
More info: http://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html
Article has instructions on fixing in Firefox. I tested in Chrome Canary (Chrome v 60) and it's fixed there too.
Note: Safari will show the attack URL as invalid or invalid.invalid. That's good. It looks like Safari isn't vulnerable because it doesn't support punycode. Chrome and Firefox are vulnerable because they do. I think the fix here is to fix punycode, but I don't know enough about the internals of this exploit to be totally sure.
It looks like the test URL I posted earlier can show up as invalid in some versions of Chrome and also in Safari. Because of how Chrome updating works, as well as how Google Safe Browsing works, it's hard to tell which versions and configurations of Chrome will show the problem URL and which ones won't. My guess is that Google is busting ass to make sure all known tester URLs are handled by Google Safe Browsing and thinking about accelerating their update schedule ...
A friend of mine reports that Mozilla Seamonkey responds well to the Firefox fix to disable punycode (found in the article I posted in the OP).
Also, the profusion of Google Safe Browsing and other safe browsing extensions make it impossible to predict what any individual's Chrome install is going to do with the testing URL. Best to test and then take measures to fix if you see it as "https://www.apple.com/" in whatever is your favorite browser.
FWIW, Mozilla Seamonkey is to Firefox as Chromium is to Google Chrome (open source spinoffs).
My conventional normal Chrome just updated itself to 58.0.3029.81 (I had to go to the About page, let it update, and restart). 58.0.3029.81 appears not to be vulnerable to the issue.
... (according to Slashdot, Chrome/Chromium v. 59 handles this and I looked it up; it's due by early June, but according to Google's IDN documentation, it's fixed in 58, which is due at the end of April).
Honestly if you use Chrome, I wouldn't recommend assuming you're safe. Perhaps try Chrome Canary, or use Firefox (after you fix its settings) or Safari until this blows over. And/or avoid unreliable sites with shitty or no security.