Site Map  |  Site Index  |  Quick Links 
        Search 

ICANN Statement on IDN Homograph Attacks and Request for Public Comment

23 February 2005

ICANN is aware of the recent publicity regarding the vulnerability of certain web browsers to URI and domain name spoofing that relies on the use of Internationalised Domain Name (IDN) resolution.

Homograph domain name spoofing works by exploiting the visual resemblance, or near resemblance of certain characters and symbols. These can be characters in the standard ASCII character set (such as the resemblance between the numeral "1" and the lower-case letter "l" or the letter "O" and the numeric zero ("0") in some fonts), or characters taken from different languages (such as the character "Β" [Greek capital letter Beta], and the character "B" [Latin capital letter B], or the potential confusion amongst Chinese, Japanese, and Korean character sets). The vulnerability identified by the recently publicised advisory (http://www.shmoo.com/idn/homograph.txt) is focused on how standard punycode-based IDNs offer additional opportunities for homograph attacks. The Internet community recognises that homograph domain name and URI spoofing is a problem that pre-exists the adoption of IDN implementation standards, but increasing the total number of characters available for domain names inevitably increases the opportunities for character confusion and spoofing.

While the recent publicising of the IDN-based homograph attack potential has brought this issue to wider public attention, the possibilities of the expansion of homograph exploits has been a topic of research and discussion within the ICANN community since before the adoption of IDN standards. Significant work has been done to define implementation practices such as IDN Language Registry Tables, and guidelines for restricting or managing mixed-character-set domain name registrations. These and other Best Current Practice guidelines are being defined by the global Internet community to enable the successful use of IDNs.

ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs become more widespread, and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs. ICANN calls for views and positions regarding both homograph vulnerability, which is not unique to IDNs, and the proposed countermeasures, which include having browser support for IDNs turned off by default, while at the same time not protecting against older forms of URI and domain name abuse.

ICANN encourages the global Internet community to participate in this public comment forum as part of an effort to improve public protection from abusive use of domain names while responsibly opening up opportunities for non-Latin language characters to be used in registered domain names.

About

FAQs

IANA

Mission

Structure

News

Announcements

Blog

Newsletter

News Releases

RSS Feeds

Policy

Policy Update

At-Large

ASO

ccNSO

GAC

GNSO

RSSAC

SSAC

 

In Focus

Affirmation of Commitments

Contractual Compliance

DNSSEC

Fellowship Program

Internationalized Domain Names (IDNs)

IDN ccTLD Fast Track Process

IPv6

New gTLD Program

Resources

Accredited Registrars

Dispute Resolution Options

E-Learning

Photos

Videos

Speeches and Presentations

Whois Search

Governance Documents

Articles of Incorporation

Bylaws

Board Meeting Minutes and Resolutions

Board Code of Conduct

Board Conflicts of Interest Policy

Summary of Board Statements of Interest

General Documents

Meetings

Press Room

Careers

Contact

This file last modified 26-Sep-2011

© 2012 Internet Corporation For Assigned Names and Numbers