Chrome uses a sophisticated system to determine if an IDN can spoof another website.
While researching end-user sales at Sedo yesterday, I visited öttö.de, which sold for €2,000. Here is what I saw during my visit:
This is the first time I have encountered this warning. Google started showing warnings like this in about Chrome 75 and started to treat Internationalized Domain Names (IDNs) differently starting in Chrome 51. (We are now at Chrome 100+).
IDNs are controversial. On the one hand, they can be great for people who use non-Latin scripts. On the other hand, they can trick people into visiting sites with “lookalike” URLs.
For example, consider this domain:
It resembles the domain of the popular auction and property sale site. But it actually uses a Cyrillic “a” and is a different domain than ebay.com. The problem becomes incredibly complex when domains have mixed scripts like this example.
Chrome therefore has a decision tree to decide when to display a domain in Unicode (essentially, what it looks like visually) or in Punycode, which is a translation of the URL that looks like xn--bb-eka .tld.
This decision tree is very complex and it looks like some URLs might slip through the cracks.
Chrome developers are also providing suggestions for domain owners who register IDNs defensively to prevent them from being flagged in Chrome.
As for öttö.de, the domain was registered with BrandShelter, which suggests that the owner of otto.de may have acquired it.