I think allowing unicode in domain names is a mistake. It does make sense to allow more characters, because ascii is very limited, but there's a lot of characters in unicode, including some that look deceptively like different ascii characters, which could really mislead people. I wouldn't mind if browsers gave some warning for non-ascii domain names.
This is a known problem and registrars are handling it. For example, forbidding multiple mixed scripts in a domain. Of course, typosquatting and similar characters are an issue in English too. The registrar deals with it.
While I understand your position, it is very anglocentric. Other countries don't use the Roman alphabet at all and shouldn't be forced to use it, especially when a simple whitelist of Unicode characters would have solved the security issue.
> This is a known problem and registrars are handling it
Nitpick: registries are handling it. Registrars usually just use the IDN tables provided by the registries. Mixed script rules in particular are a nightmare to implement perfectly when the tables are not given directly by the registry (for some ccTLDs mainly).
My position isn't specifically anglocentric (I'm not English myself), and like I said, it makes a lot of sense to allow more characters, but it opens up a lot of pitfalls. Banning mixed script is definitely a great idea.
The ß is not really mixed script: It’s a (mostly) normal character in the german language which itself is based on latin script. It’s part of common words in the language and part of personal names, including mine. I’d rather like having the ability to register a domain with my last name and was rather annoyed that the Internet infrastructure made that difficult, first with ASCII–centrism, then with IDNA2003 and now with a decades long transition.
