It seems like there's a new top-level domain (TLD) popping up every time ICANN needs to fill its coffers. Now that there are so many potential Web addresses beyond .com, .net and the other standards, and with management of these domains going to basically the highest bidder, what considerations must be made from a security standpoint?
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at firstname.lastname@example.org.
The planned introduction of more than 1,900 new generic top-level domain (gTLD) names by Internet Corporation for Assigned Names and Numbers (ICANN) has triggered a name grab by the world's largest businesses. Organizations can now apply to create any new gTLD that they fancy. ICANN recently released the full list of names for which it's received 1,930 applications, including proposals for domain extensions such as .visa, .toyota, .canon and .mcdonalds. Companies are also seeking control of generic terms, such as .hotel, .pizza and .football. Google has applied for more than 101 domain names, including .search, while Amazon's 76 requests include .video.
These new domains shouldn't be any more vulnerable than the existing ones, and any organization applying for one must demonstrate its ability to meet ICANN's gTLD security, business, operational and technical requirements. Users can be told to look for the company's name at the end of a URL as a sign of legitimacy and to know they're on the right website. However, this is an expensive method for improving security, as each domain application costs $185,000. If ICANN awards generic terms to specific companies, such as .book to Amazon, not everyone using the Internet will automatically know or assume that .book sites belong to Amazon. Also, ICANN allows non-ASCII standard characters to be used in these top-level domain addresses, including Cyrillic, Arabic, Hindi, Chinese and Japanese. I don't think I would be able to distinguish one address in Arabic from another, so the reassurance of who owns an Arabic site would be lost on me. The potential for lost business and customer confusion is real, and the abuse of existing TLDs can, and most likely will, continue.
Enterprises owning and operating a gTLD's registry can set and enforce their own domain registration, control content policy and take corrective measures against non-compliance. However, there's no guarantee that these sites won't get hacked, and it would be easy for users to point the finger of blame solely at the owner if user losses occur. To mitigate such risks, owners may need to establish a separate legal entity to own and operate the gTLD.
Community-based gTLDs such as .bank or .pharmacy present their own challenges. They require cooperation from industry competitors on goals, policies and compliance. Unauthorized sales and channel non-compliance are considerably more difficult within a branded gTLD, but they can't eliminate the threat of phishing completely. Phishers will continue to use spoofed email addresses that appear to be within a brand's gTLD and use other obfuscation techniques to confuse users over which site they are really visiting. By implementing DNS security extensions (DNSSECs), a gTLD owner can protect against DNS cache poisoning and pharming attacks, which redirect Internet traffic to unintended locations. DNSSEC is not a cure-all, though; it doesn't protect against DDoS attacks, plus administrators and users still need to guard against spam and phishing attacks.
Monitoring for corporate name abuse must now be extended to a wider universe, and a lot of the security issues are as much to do with branding and legal as IT security. Enterprises need to proactively defend their brand online during the ICANN application process (and beyond) to reduce brand abuse and prevent competitors, both legitimate and illicit, from laying claim to vast and valuable online territory. Roughly 90% of current corporate domain portfolios are comprised of defensive domain registrations. The high price of the entrance fee to apply for a TLD should be a deterrent to cybercriminals, but businesses still need to take precautions.
This was first published in November 2012