ICANN Released Statement on IDN Homograph Attacks

ICANN (www.icann.org) is aware of the recent publicity regarding the vulnerability of certain web browsers to URI and domain name spoofing that relies on the use of Internationalised Domain Name (IDN) resolution.

Homograph domain name spoofing works by exploiting the visual resemblance, or near resemblance of certain characters and symbols.

These can be characters in the standard ASCII character set (such as the resemblance between the numeral "1" and the lower-case letter "l" or the letter "O" and the numeric zero ("0") in some fonts), or characters taken from different languages (such as the character "Â" [Greek capital letter Beta], and the character "B" [Latin capital letter B], or the potential confusion amongst Chinese, Japanese, and Korean character sets).

The vulnerability identified by the recently publicised advisory (http://www.shmoo.com/idn/homograph.txt) is focused on how standard punycode-based IDNs offer additional opportunities for homograph attacks.

While the recent publicising of the IDN-based homograph attack potential has brought this issue to wider public attention, the possibilities of the expansion of homograph exploits has been a topic of research and discussion within the ICANN community since before the adoption of IDN standards.

ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs become more widespread, and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs.

ICANN calls for views and positions regarding both homograph vulnerability, which is not unique to IDNs, and the proposed countermeasures, which include having browser support for IDNs turned off by default, while at the same time not protecting against older forms of URI and domain name abuse.

ICANN encourages the global Internet community to participate in this public comment forum as part of an effort to improve public protection from abusive use of domain names while responsibly opening up opportunities for non-Latin language characters to be used in registered domain names.