A plan to populate the internet with hundreds or thousands of new top-level domains has security researchers pondering some of the unintended consequences that could be exploited by online criminals. Some of the scenarios aren't pretty. Consider the mayhem that might result from addresses that end in “exchange,” “mailserver,” “ …
Open up the TLDs
Open up the DNS
Seriously, there's no reason why there has to be just one. Start your own, get a few ISPs on board, offer plebs instructions on how to start using it, and bob's your uncle. Now you can define your own TLD policy, and peer with the 'mainstream' DNS whenever you wish. Or, make client software which uses its own resolver implementation.
I'm kind-of surprised that Google, Apple, and Microsoft haven't already done this. A tick-box in the browser config to say 'use Google-DNS' is all that it would take to divert most users' queries most of the time. There's no reason why ICANN has to be a monopoly provider for name resolution.
re Open up the DNS
So what you're suggesting is, if ICANN can, I can too. So I can can ICANN. Uncanny.
What the heck?
Is the point just to try to get as much money as possible or what?
A fee of $185'000 is NOTHING. There are thousands of companies that can easily shell out the money. If this goes through, you can expect a land grab of epic proportions, bringing domain squatting to a new level. What is the point?
What is the point?
$185,000 times thousands of companies times several to many different applications, perhaps?
ICAAN- Daft as a brush
There is no need or much demand for this any way. And I mean the only organisation that i have ever notice use ".eu " is the european union itself.
Not a "daft" idea...
It's a daft idea, but an inequitable one.
One internet for the rich, with any name you choose, and another for us plebs. It favours the big companies over small ones, the haves over the have nots. It also reaches into the future and sticks its fingers up at nations not yet in existence, because what's going to be left for them as their national TLDs?
.eu IS in use
Everytime I need to amend my expenses claims or book holiday at work I have to use out HR systems suppliers site that is <ourcompany>.<theircompany>.EU
Actually I use quite a few services on EU domains.
You get whatever Xmas you deserve
That is what you get when you put registrars in charge of DNS infrastructure. First internationalised domain names, now this.
The more domains companies like Coca Cola have to register to protect their brands and trademarks the merrier. For them.
And security be damned. In fact it was damned long ago:
Is this: НSВС ???
F*** No, it is Cyrillic N, S, Cyrillic V, Cyrillic S.
Did anyone care? No. This is from the same songbook. Will anyone besides security geeks care? No. It will be railroaded through as it means more money for the domain names scam.
How many people or companies have something named Ian (Apart from Ian)?
Am I missing something that I probably should have Googled before looking stupid?
No, you're not stupid, but many MANY font designers are.
look the same on your system, delete whichever font you're currently using.
Sometimes serifs are there for a reason.
What, all of them?
You want him to delete all the sans-serif fonts?
LAN not IAN
as in "local area network"
I suppose not.
OK, deleting might be an overreaction (I suspect this might not even be possible for some of the default Windows fonts); but, if you care about having unambiguous information in your browser's address bar (or anywhere else), then make sure to use a suitable font.
Trebuchet seems to be an acceptable compromise, it's not too serif-y, but at least the l isn't just a vertical line.
Humm. Those three sites work just fine for me with Konqueror on Debian. I'm not sure whether to be scared or pleased...
F-Secure talking Bollocks?
F-Secure Chief Research Officer Mikko Hypponen recently speculated on the damage that could be done with a TLD consisting of the number 1, since it would allow the owner to create a routable host called 127.0.0.1, the IP address for “localhost.”
IIRC you can't register a domain name with just digits you have to have at least one non numeric character in the name.
like 192.com for example?
Why would any browser or OS use a DNS lookup for something that fits the pattern of an IP? I can't believe any browser out there doesn't attempt to go direct to IP addresses, so his example is a fail - but it does highlight the kind of attacks that people will be thinking about,
Internet Explorer seems to
If you don't manually put the http:// or ftp:// etc before a raw IP address, IE 7 and 8 appears to try to do a DNS lookup on it.
So yes, some browsers really do appear to be that stupid.
You might argue that you should also specify the protocol, but did you *really* type "http://www.theregister.co.uk" to get here? Or did you do let your browsers autocorrect figure much or part of that out, like eveybody else.
So whose DNS is it anyway ?
If ICANN were able to dictate the design of DNS resolvers, presumably they could impose resolution of single label DNS queries such as http://nike/ or sales@nike into MX, A or AAAA records. But that isn't how it works. Designers of DNS software, and operating system library designers are very likely to choose to be less obliging for the security reasons described in the otherwise fine article. Tough luck on any marketing droid who reckons a $185K application fee will get them single label names if the software is changed to block resolution of these.
So how long would it take me to edit and recompile gethostbyname() to something which blocks external resolution of single label names if I don't want to let rich single label name marketing wet dreams to compromise my LAN ?
Another approach might be to have the root zone compiled by a more responsible party than ICANN. This zone is a very small file which doesn't change very often, and it doesn't take much effort to write a shell script making use of dig to enumerate the current version. All that would take would be for the relatively few engineers who develop and distribute DNS client and resolver software to agree on a better root zone provider.
Might actually do the same!
Of course means I won't be able to type 'nike' in and go to nike, but then I don't think I've ever even typed nike into the address bar before anyway
I see someone's called the WHAmbulance...
It's the same group of people that's been crowing about the imminent death of IPv4 for the past... 10 (10? 15? something like that) years.
Give it six months and something will get worked out.
I've seen localhost and localdomain on practically every Linux box I've had but If only I could think of where it was I saw .local being used as a domain. Was it myPhone or Mac's Book? Bah, it'll come to me sooner or later, probably along with a thunk to the side of the head.
Seriously, given this is set up as the playground for the wealthy it would behoove the likes of Apple, Microsoft, Red Hat (or a Linux consortium) and others to do something sensible like be first on the list for the domains they use as defaults. That way at least folks will know who is reading their mail... and zeroconfing a peak at all the questionably legal material going about your home network.
The security risk comes a long way down the list of why this is a buck stupid idea entirely designed to make stacks of cash for ICANN.
Why exactly are these morons being given the Internet as their personal cash-cow anyway?
potential for problems here
The problem with IE placing domains into the intranet zone is a real issue. IE will automatically attempt NTLM for any sites in that zone and the zone is simply any site without a dot in the domain name.
When computers are on your internal network they should be using search domains so any lookup for a single word is actually looked up with your domain suffix. Since we're all using domains we own or ones that end in something.local there shouldn't be an issue. Your computer will try appending the search domain first before falling back to looking up just the single word.
XP is passé
"Using a Windows XP SP3 computer, The Register was unable to reach any of the three sites above."
I am proud to report that my super modern OS, Windows 7 SP1 x64 is very happily resolving http://ac/
The older the OS is, the more secure it seems. Any one tried Windows 3.11 yet?
so this is over ..
whether it's "single label" or ".TLD" ?
IOW, using the example, whether it's "@nike" vs "@.nike" or "http://nike" vs "http://www.nike" or having to have some subdomain in the address like all other TLDs ?
really ? .. just don't allow single label to resolve .. all other TLDs require "." , I could care less that it might be required to be @sales.nike or www.nike or shoes.nike to resolve
also .. there are critical .com file extensions in Windows .. how come there isn't a big security problem with that ( other than fools that open an email attachment with .com thinking it's a websile link ;-0)
Critical .com file extensions in Windows.... how com there isn't a big security problem with that....
" I could care less that it mightbe requiredtobe @sales.nikeorwww.nike or shoes.nike to resolve"
You mean you COULDN'T care less.
What you said means the opposite of what you mean.
Unless you expand it to the full "I could care less... but not by very much" ;)
meh ( grammar that )
of course I could care less, and would not have posted about the subject |;-0
The price of vanity?
This expansion of TLDs is a reallly terrible idea.
It seems like a cash cow for milking the same kind of idiots that get off on personalized number plates who somehow think it is cool to advertise their shallowness...
Single word domains will be difficult to recognize as part of netspace without protocol designations.
As for validation, it is already difficult enough to fully validate email addresses, which rely on having at least 1 dot embedded in the domain part, as well as a regexp to make seasoned unix programmers cry.
http://company.com or co.uk, eu, etc do the job perfectly well, are recognizeable and give some clue as to a domains category. For instance, *.info, *.biz, *.tv are just most likely spam sites that can be safely ignored.
Leaking single word domains onto the net is a bad idea - at least a dot gives some kind of defence.
You gotta love it
One of the reasons given for .xxx is that it would make it easier to block porn as you'd just block the TLD.
Next thing we know, could be giving them the ability to resolve if you just type tits into the address bar?
Actually, changed my mind I'm all for it!
Ahh so youre one of *those* halfwits
I run a ligitimate business and when we started up we registered a .info ( we now have the full deck)
Emails bounced, not delivered, unable to use websites because of asshats like you making that assumption. So please take your assumption somewhere else a place it where the sun shineth not.
In all serious enough its a big enough problem with people doing things like that plus a number of high profile websites didnt/do not accept .info as a valid TLD. This is just going to turn into a complete total and utter nightmare. As it is we deprciated the .info for the .ca .co.uk and .com domains we have as they work as they should.
congratulations on your success!
but I would not recommend anyone to start a business with a .info domain and be expected to be taken as seriously as with a reasonable sounding .com domain.
Any new tld provides a land-grabbing opportunity for criminals to get respectable sounding domains, because all the respectable-sounding .coms went years ago, by likely respectable companies.
Blame the spam/trojan/bot industry for sullying and infecting .info et al domains with dangerous shite... My "assumption" is based on the facts as I have seen them - analysis of the hundreds of thousands of spam messages trying (and failing) to get through my systems for the last 15 years.
ac, io and tm
ac, io and tm all work with just the tld under firefox 5 running on Windows 7 as well as on Mac and Ubuntu
Not my finding on Win7/FF5
All typed in full (eg http://ac/), none resolved - instead got ac.com and so on. Can't ping any of them either (host not found).
Wonder what's different?
I just tried the three 2 letter examples that were given and connected without problems using firefox on OS/2
Leave the top domains alone.
If someone can't be bothered to add 4 to 6 letters to address, he certainly won't be bothered to check if security is right.
Why not just prohibit the senistive words from new domains? Or even better, stop ****ing with the internet altogether?
Already too late?
Aren't any of these "security issue" TLDs already an issue with a poisoned DNS server?
Re: Already too late?
The issue there is the poisoned DNS server, not the TLD.
The TLD might exacerbate the problem but it isn't the real issue.
For corporate network, just like you explicitly allow outbound connection to IP's and ports, I would implement a DNS security proxy that will block DNS requests to TLD's that are questionable.
For personal/home users, I'm sure security products will provide some functionality to block DNS that would otherwise be assumed local which in fact direct users outside the current network scope.
Maybe ICANN won't sell these types of sensitive TLD's or most likely any hacker won't have the $100,000 dollars to buy these TLD's, and those that do and subsequently expose users then ICANN or governments will have the power to get that domain blocked.
This isn't half as stupid as the peer to peer DNS idea that was proposed some time ago
Says it all.
“It's a bunch of FUD,” he said, referring to the scenarios painted by Ray and other critics. “Yes, if domains like wpad or localhost or localdomain were assigned, bad things might happen. Those domains aren't going to get assigned. It's not like there aren't layers of approval that have to go in place to get a top level domain.”
Says it all.
Re: Says it all
Its not just the obvious domains like wpad or localhost.
I've seen companies internally use TLDs such as:
private dhcp boot ftp
Which could all be considered obvious, but how about
beech wilson mint
Which used the names of the buildings the computers where located in as the TLD
Internally, some companies have used pretty much any naming scheme you can think of as the TLD for their internal servers. These will all be at risk.
And what about those of us
who have used .starfleet?
NCC-1701-D.starfleet should resolve to the server and not to some subdomain at a new TLD.
Admittedly, shouldn't have set it up that way but given that originally there was never any possibility of .starfleet becoming a TLD the geek inside me just couldn't resist!
Thanks for all the anti-recommendations
I happen to think that the new TLDs are a dreadful idea, but anyone who had bothered to read the relevant parts of the ICANN draft applicant's guidebook would know that there is no possibility whatsoever of TLDs like the ones discussed in this article being assigned. On page 2-8 it explicitly lists LOCAL and LOCALHOST in a table of reserved names, and on pages 2-9 and 2-10 it describes the DNS Stability Review that is exactly about funky names like these.
So thanks for providing this handy list of people who spout nonsense about DNS "security" without doing even a little bit of reading to see if they know what they're talking about.
Down to the browser & OS, surely?
The browser and OS makers need to distinguish between a local host and a TLD and put in appropriate checks.
Trusting an endpoint just because it doesn't have a domain is a bit risky anyway. If someone connects to a random access point, it can easily have a DNS that resolves mailhost or whatever.
I'd also think that spending over $100k on a TLD would create a paper trail back to any perps - it's a bit like trying to buy a house undetectably.
There's no reason for it to exist any more.
Why bother registering playboy.xxx when you could just own .playboy ???
I personally think they should have gone the other direction; that is remove all of the non country-specific TLDs (.com .net .edu .gov .mobi .biz, etc) and force them into countrycode TLDs: .com.us .net.us, etc.
It's a real dumbass idea (in my opinion) to offer up all these TLDs, and expecting known names to pony up good cash to "protect" their name is tantamount to extortion.
However... Surely if you owned the domain .1 and had people pointed to 127.0.0.1, any decent DNS client would interpret that as a numeric IP and not even bother trying to look it up?
- Twitter: La la la, we have not heard of any NUDE JLaw, Upton SELFIES
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- Apple to devs: NO slurping users' HEALTH for sale to Dark Powers
- Is that a 64-bit ARM Warrior in your pocket? No, it's MIPS64
- Apple 'fesses up: Rejected from the App Store, dev? THIS is why