If they were displayed in the opposite (big-endian) order, the 3rd example above would become:
http://xx.baz.com|bar.foo
Notice how the "com" and "foo" are now separated.
There was a gap in my logic here. A phisher could easily keep the "com" and "foo" next to each other. My real point is that big-endian display of domain names would put the important parts of the name near the beginning for a left-to-right reader:
The "real" (unspoofed) URI would look like this:
http://com.foo
Erik
