Secure Computing: Sec-C

It has finally happened. ICANN has approved the first major change to the DNS architecture since RFC-882 (November 1983). Specifically: ICANN has approved arbitrary gTLDs.

DNS uses a hierarchical naming system. The generic top-level domain name (gTLD) defines the category for the name. Historically, these have been limited to ".com", ".org", ".net", and 18 others. Some of the gTLDs are sponsored, like ".aero" for the aerospace industry and ".museum" for museum-related sites.

Along with the gTLDs are country code top level domains (ccTLDs). For example, ".us" for the United States, ".fr" for France, and ".tv" for the island nation of Tuvalu.

The new ICANN decision effectively permits anyone to sponsor a top-level domain.

ICANN See Problems

The wider selection of gTLDs has some great potential for organization. Right now, banks, hotels, and other industries are all grouped in the same gTLD: ".com". Imagine if all financial institutions had to be vetted before being added to the ".bank" gTLD; casinos could be under ".casino" and hotels under ".hotel". This could make it much more difficult for fraud and phishing that relies on domain name impersonation. For example, if the bank's email does not come from a ".bank" domain, then it is much more likely to be a scam.

Unfortunately, there is also plenty of room for abuse -- particularly if the gTLD process is not well vetted. For example:

• If there is no vetting, then we can see lookalike domains, like ".c0m" (with a zero) impersonating ".com" domains, and ".mi1" (with a one instead of an ell) competing with the government's ".mil" domain.
  
  
• Finding good domain name can become significantly more difficult if everyone can register their own gTLD. Right now, it is hard to find a good domain name in the ".com" domain. All the good words are taken -- some by valid companies, and others by cyber-squatters. Imagine how hard it will be if ICANN allows people to register trademark names as TLDs. Suddenly, you won't be able to find a viable TLD to go with your good hostname.
  
  
• There is likely to be a race for phishing sites. Is the hostname "bank.of.america" owned by the real Bank of America or by a phisher? Too bad we cannot assume bad guys will stick to a ".fraud" domain.
  
  
• Malware frequently tries to cloak the executable name. What if someone registers ".exe"? Is "cmd.exe" a program or a hostname, and will it be blocked by your anti-virus system? The same goes for ".bat", ".scr", ".dll" and other executable names. (I'd also list ".sh" for shell programmers, but that is already taken as the country code TLD (ccTLD) for Saint Helena.) And you just know that some idiot will register the gTLD ".html".

Hopefully ICANN will restrict gTLDs to words with multi-person usage. A gTLD like ".usatoday" will have very little use to anyone outside of their company. In contrast, I can understand wanting ".paris" or ".nyc" (for residents of Paris or New York City, respectively). I fully expect to see domains like .sex and .hotel be registered quickly (and probably used in hyperlinks on the same escort web sites). Services, such as .car, .train, .boat, and ubiquitous topics like .home, .rss, and .blog are certain to appear (and probably for a premium price tag). And as one Slashdot commentor remarked: "We are long overdue for a .sucks domain."

While this has a huge potential for abuse, I kind of suspect that nothing will change in the near future. Sure, there will be a fast land-grab for good gTLDs, but the average person will probably stick with ".com".

My God, It's Full of Stars

The one good outcome from ICANN's decision will likely be a reduction in the number of domains that most companies register. If everyone has their own gTLD, then there will be no need to register your name under .com, .net, and .org -- just in case someone tries to compete with your company. For example, Microsoft could get ".microsoft" and release microsoft.com, microsoft.net, microsoft.org, microsoft.info, microsoft.biz, microsoft.us, microsoft.it (Italy), microsoft.ru (Russia), and all of the other variations.

Apart from all of the vectors for abuse (both corporate and fraud), this ICANN decision has the potential for being a really good thing. For example, why should my domain be listed along with every ".com" when it could be listed as a ".forensics" or ".compsci" (computer science) or even ".hacker". And why should I use "nealkrawetz.com" when I could use "nealkrawetz.phd"?

Unfortunately, poor naming management and unenforced rules could quickly ruin this good decision and lead to hostname abuses unlike anything we have seen before. And sadly, ICANN has a long history of poor management, unenforced rules, and slow reaction (if any). For example:

• It took ICANN years to address domain name tasting, where cybersquatters and phishers register domain names for the free trial period (5 days). After the free trial expires, they determine whether the name was good enough to keep. A related abuse, domain kiting, deletes the domain during the 5-day period and then re-registers it. Using this approach, a scammer can hold onto a domain indefinitely and for free. These abuses currently account for as much as 95% of the deleted domain names.
  
  
• ICANN was extremely slow to react to complaints about front running. "Front running" is when a domain registrar permits users to lookup domain names, then quickly registers the names. If you don't buy it immediately, then it gets taken by a cyber-squatter (via the registrar). Companies like Network Solutions have been known to be doing this for over a decade, but it wasn't until 2007 that ICANN began to investigate the complaints.
  
  
• A report by KnujOn found that 90% of all spam sites are registered through ten (10) domain registrars. However, ICANN did not respond to this problem until after KnujOn went public and it was picked up by the mass media.
  
  
• ICANN cannot even be relied on to process complaint requests. While KnujOn was reporting spam domains that were lacking the required valid contact information, KnujOn repeatedly crashed ICANN's database.
  
  
• ICANN cannot even protect their own domain. Just this week ICANN had their domain name hijacked, leading to a web defacement. So far, nobody has managed to hijack a gTLD (as far as I know), but with management of the gTLDs pushed down to less reliable registrars, it is only a matter of time before these get hijacked.

Cross Your Fingers

ICANN's decision to permit arbitrary gTLDs has the potential to be a very good thing. However, it will take a conscious effort to deter abuse.

There are a few steps that ICANN can take to make this a very good thing:

1. Hire a librarian. Every librarian that I have met has a blackbelt in information organization. (Did I mention that I've been to ALA's annual and midWinter conferences more than once?) The biggest problem with the naming system is a lack of organization. It would not be hard for a librarian to identify multiple methods for better organizing DNS. (When I spoke to some librarians about the newsgroup structure "alt.news..." and DNS organization, they were horrified.) Sadly, ICANN seems to be a group of techies -- engineers making engineering decisions that seem good to other engineers but not good for the rest of the world.
   
   
2. Regulate the structure and vet members. If ".bank" is only for financial institutions, then reject non-banks. And if ".org" is for non-profit organizations, then reject anything that is not a registered non-profit. Unfortunately, as ICANN stated when they rejected the ".xxx" gTLD, ICANN is not a regulatory body. I truly expect lawsuits over who can control each custom gTLD (if for no other reason, then conflicting copyrights).
   
   
3. Do not delegate. If ICANN passes the gTLD registration system to certified registrars, then there will certainly be abuse.

While I am hoping for the best, I am expecting the worst. DNS has always had problems, but arbitrary gTLDs have the potential to make a bad situation unbearable.