[SamBam]

Huh? "https://www.login.chase/login?id=DEADBEEF/.evil.com" wouldn't go to evil.com, it would go to login.chase. "chase" is the TLD of that URI.

Unless you're doing something super clever with characters that I'm not understand, that's not how urls work. ".evil.com" is clearly part of the query parameter.

[notriddle]

Assuming they're not doing anything weird with Unicode, the evil pi is probably running its own DNS server, intercepting the traffic intended for normal DNS, and basically creating its own TLD the same way you would normally do localdomain. The evil.com part is redundant.

[SamBam]

Sure, that's a totally different scenario than tricky-looking urls.

[closetohome]

This seems...a little unnecessarily pedantic. It's an example of a well-known URL obfuscation technique -- we all understood what he meant.