APTLD Statement Regarding Phishing Using Homographs among IDNs< back to list
Recently, there have been intense discussions about possibilities of phishing using homographs through the introduction of IDNs. This has led to some browser providers announcing that they intend to disable IDNs in future releases. We believe that the information that they have relied on is misleading which has led to inappropriate action.
As an organization with members who lead both the technology and utilization of IDN, APTLD makes the following statement.
There have been recent reports of possible phishing activities being carried out as a trick performed by ill-willed website owners by making improper use of similar-looking IDN characters in the URL of websites. The root of this problem is a visual illusion that already exists in ASCII domain names. For example, the digit `1` and the small letter `l` look alike. The problem is not specific to IDN. However, it is true that the number of combinations of similar-looking characters increased when IDN was introduced.
This problem was already identified when IDN was standardized and introduced (refer to IESG statement of 11 February 2003, ). Countermeasures to suppress the problem were already investigated and published as RFCs by IETF with leadership of APTLD members. In addition, guidelines for domain name registries to conduct such countermeasures have already been set up by ICANN. See
– JET Guidelines (RFC3743) and
They request registries to define languages to be registered as IDNs; define character code points allowed in each language for IDN; define variants (if any) to each character; tag a language name to each IDN at registration to exclude inappropriate characters; and cooperate with relevant and interested stakeholders to develop language-specific registration policies, etc.
If registries follow these guidelines, it will dramatically reduce the number of similar-looking IDNs. This will then reduce the possibility of phishing using IDNs.
Internet users who need IDNs really want to see rapid deployment of IDNs. Deployment needs appropriate IDN registration and IDN-aware applications. Registration and application deployment should not be delayed by misleading information.
Therefore, APTLD encourages ICANN to
– promote the recognition and usage of IDN registration guidelines,
– encourage registries to register language tables with IANA regardless of contractual relationships with ICANN, and
– encourage IDN application development and deployment.