Recently, there have been
intense discussions about possibilities of phishing using homographs through the
introduction of IDNs. This has led to some
browser providers announcing that they intend to disable IDNs in future
releases. We believe that the information that they have relied on is
misleading which has led to inappropriate action.
As an organization with
members who lead both the technology and utilization of IDN, APTLD makes the following
statement.
There have been recent
reports of possible phishing activities being carried out as a trick performed
by ill-willed website owners by making improper use of similar-looking IDN
characters in the URL of websites. The root of this problem is a visual
illusion that already exists in ASCII domain names. For example, the digit `1` and the small letter `l` look alike. The
problem is not specific to IDN. However, it is true that the number of combinations
of similar-looking characters increased when IDN was introduced.
This problem was already
identified when IDN was standardized and introduced (refer to IESG statement of
11 February 2003, ).
Countermeasures to suppress the problem were already investigated and published
as RFCs by IETF with leadership of APTLD members. In addition, guidelines for domain
name registries to conduct such countermeasures have already been set up by
ICANN. See
- JET Guidelines (RFC3743) and
They request registries to
define languages to be registered as IDNs; define character code points allowed
in each language for IDN; define variants (if any) to each character; tag a language
name to each IDN at registration to exclude inappropriate characters; and cooperate
with relevant and interested stakeholders to develop language-specific
registration policies, etc.
If registries follow these
guidelines, it will dramatically reduce the number of similar-looking IDNs.
This will then reduce the possibility of phishing using IDNs.
Internet users who need IDNs
really want to see rapid deployment of IDNs. Deployment needs appropriate IDN
registration and IDN-aware applications. Registration and application
deployment should not be delayed by misleading information.
Therefore, APTLD encourages
ICANN to
- promote the recognition and
usage of IDN registration guidelines,
- encourage registries to register
language tables with IANA regardless of contractual relationships with ICANN,
and
- encourage IDN application
development and deployment.