Chrome uses a sophisticated system to determine if an IDN might be spoofing another website.
While researching end user sales at Sedo yesterday, I visited öttö .de, which sold for €2,000. This is what I saw when I visited it:
This is the first time I’ve come across this warning. Google started showing warnings like this in about Chrome 75 and started treating Internationalized Domain Names (IDNs) differently beginning with Chrome 51. (We’re now at Chrome 100+).
IDNs are controversial. On the one hand, they can be great for people who use non-Latin scripts. On the other hand, they can trick web users into visiting sites with “look-alike” URLs.
For example, consider this domain:
It looks like the domain of the popular site for auctioning and selling goods. But it actually uses a Cyrillic “a” and is a different domain than ebay.com. The issue becomes incredibly complex when domains have mixed scripts like this example.
So Chrome has a decision tree for deciding when to show a domain in Unicode (essentially, how it looks visually) or Punycode, which is a translation of the URL that looks like xn--bb-eka .tld.
That decision tree is very complex, and it would seem that some URLs could slip through the cracks.
Chrome’s developers also provide suggestions for domain owners who register IDNs for defensive purposes to prevent these from being flagged in Chrome.
As for öttö .de, the domain was registered with BrandShelter, which suggests the owner of otto.de might have acquired it.