en

ICANN Statement on IDN Homograph Attacks and Request for Public Comment

23 February 2005

ICANN is aware of the recent publicity regarding the vulnerability of certain web browsers to URI and domain name spoofing that relies on the use of Internationalised Domain Name (IDN) resolution.

Homograph domain name spoofing works by exploiting the visual resemblance, or near resemblance of certain characters and symbols. These can be characters in the standard ASCII character set (such as the resemblance between the numeral "1" and the lower-case letter "l" or the letter "O" and the numeric zero ("0") in some fonts), or characters taken from different languages (such as the character "Β" [Greek capital letter Beta], and the character "B" [Latin capital letter B], or the potential confusion amongst Chinese, Japanese, and Korean character sets). The vulnerability identified by the recently publicised advisory (http://www.shmoo.com/idn/homograph.txt) is focused on how standard punycode-based IDNs offer additional opportunities for homograph attacks. The Internet community recognises that homograph domain name and URI spoofing is a problem that pre-exists the adoption of IDN implementation standards, but increasing the total number of characters available for domain names inevitably increases the opportunities for character confusion and spoofing.

While the recent publicising of the IDN-based homograph attack potential has brought this issue to wider public attention, the possibilities of the expansion of homograph exploits has been a topic of research and discussion within the ICANN community since before the adoption of IDN standards. Significant work has been done to define implementation practices such as IDN Language Registry Tables, and guidelines for restricting or managing mixed-character-set domain name registrations. These and other Best Current Practice guidelines are being defined by the global Internet community to enable the successful use of IDNs.

ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs become more widespread, and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs. ICANN calls for views and positions regarding both homograph vulnerability, which is not unique to IDNs, and the proposed countermeasures, which include having browser support for IDNs turned off by default, while at the same time not protecting against older forms of URI and domain name abuse.

ICANN encourages the global Internet community to participate in this public comment forum as part of an effort to improve public protection from abusive use of domain names while responsibly opening up opportunities for non-Latin language characters to be used in registered domain names.