Keep an eye on top level domain name chancers

Will ICANN’s new top level domains be safe? Don’t .bank on it, says Nick Booth

Did you know that 50% of SMEs still don’t have a web presence? And of the other half, most of them have a site that’s effectively useless, as it’s a static affair that’s little more than an online brochure.

I’m indebted to hosting giants 1&1 for this information. The organisation has just launched a range of new initiatives to get more businesses online and to help the channel to take care of the day to day running of their customers’ web presence.

1&1’s UK division, Fasthosts, is offering a number of new hosting packages for resellers, systems integrators and designers to help entice customers onto the web. With any luck, that small first step will encourage them to go the whole hog and get their entire business systems hosted for them. 

I can understand why many businesses haven’t taken to the web: it can be very confusing. You go to an agency and ask them how your business can work better online, and they start quoting Ruby On Rails, Perl and Python. Half the time you can’t understand what they’re talking about and the other half they seem to be talking out of their aas.

OK, we have to be open for business 24x7. Got that. This has blurred the lines between the professional and the personal. We understand that, too. But does that mean we all have to talk cobblers for 24 hours a day?

The more sensible people in the channel have gone completely the other way and make all conversations jargon-free. The 24x7 culture has split the IT channel into two distinct camps, with some sounding like they’re never at work and the others sounding like they don’t have a life outside the office.

The situation over the new top level domains (TLDs) is similarly divisive. Some say that the new professional domains, such as .bank, will bamboozle the public and become a con man’s dream. Others say the new domains are a complete waste of time.

There are five major things that happen whenever we see new TLDs show up, predicts Robert Hansen, technical evangelist at WhiteHat Security.

(Hang on: evangelist? I wonder if he’s IT agnostic?)

People are unaware of what TLDs are or what they are used for, so having a new one just opens the doors for more abuse

Robert Hansen, WhiteHat

Phishing is going to increase, he says. “It causes companies to have to investigate an entirely new set of top level domains for phishing sites. People are, for the most part, unaware of what TLDs are or what they are used for, so having a new one just opens the doors for more abuse.”

Bit flipping is another danger. When a domain is close enough (bit-wise) to another domain, sometimes the DNS will point to the wrong location. On a domain level this is bad, on a top level domain this could be catastrophic.

There will also be a rise in domain squatting and typo squatting, he says. There’s a great opportunity for the agile criminal to register a competitive-looking brand, or near-match that can be easily confused with a genuine brand. Expect names ending in .ccom .coom and .comm to start appearing in your inbox.

Since TLDs can be confused with file extensions, there’s scope for visual confusion too. “Someone with enough cash could register .html or .exe and potentially cause a lot of downstream confusion about what is dangerous and what isn't,” says Hansen.

There’ll be a breakdown in regulation too. Lots of sites use regular expressions to decide what is and isn't a domain before allowing someone to submit anything or processing data. But since the technologies that rely on regular expressions tend to evolve, rather than dynamically update themselves, there is a large potential for things breaking when new TLDs are created.

That doesn’t sound too encouraging, does it?

There is an argument that top-level domains are redundant now, since these days most people Google their bank and don’t look at the address bar. “It was a good idea once, but that was in 2007 and times have moved on,” says Sean Sullivan, security advisor at F-Secure. “It took ICANN years to act on the idea and it’s now past its time. It would look good on banks’ posters and ads though, so there is a little upside.”

Another security vendor seems to be anticipating a rise in business created by TLDs.

The .bank (and other types of TLDs) will allay some security concerns as users will become familiar with the .bank domain name and recognise it as a legitimate financial address, says Alan Carter, cloud services director at SecureData, but there are inevitably security issues.

“Users don’t always check the URL in a phishing email – at a glance they may see the .bank element and be given a greater sense of security,” says Carter.

Conversely, if a bank does not implement the .bank DNS does the user stop trusting that bank? During the changeover period it will no doubt create problems for users to decide what is real and what is a phishing email for example.

David Harley, senior research fellow for Eset, agrees. “There's potential here for an expansion of such malicious activity.”

At AVG Technologies, director David Haadsma is critical of ICANNs handling of TLDs. “It’s been easy enough for ICANN to create a new top level domain and make a tidy sum for it in the process, but as the years pass who’s going to regulate and police this confusing domain landscape for trademark, privacy and property issues?”

Yes, I can understand why most small business are nervous about getting online.

Read more on Security Network Services