Vulnerabilities / Threats
4/11/2013
12:12 PM
Connect Directly
RSS
E-Mail
50%
50%

Domain Names Like .Food May Leave Bad Taste

Symantec, Go Daddy, Trend Micro and other digital certificate authorities raise security, other concerns with ICANN about the pending release of new top-level domain names.

A group of the world's largest digital certificate authorities (CAs) is warning of potentially serious security and networking risks for businesses when Internet domain names ending in the likes of .food or .law soon join .com and other currently available suffixes.

The Internet Corporation for Assigned Names and Numbers (ICANN) is readying the release of thousands of new generic top-level domains (gTLDs). Approved domains could become available as soon as April 23. Therein lies an underlying cause of potential problems, according to DigiCert associate general counsel Jeremy Rowley.

"ICANN is moving a little too fast with these new gTLDs without really giving people time to get ready," Rowley said in an interview.

Rowley is a member of the CA Security Council (CASC) alongside executives from Symantec, Comodo, Entrust, GMO GlobalSign, Trend Micro and Go Daddy. While some Internet stakeholders have focused on marketing, brand and legal issues with the new domain names, CASC is raising its red flags about the common use of "internal names" by businesses when setting up and managing their private networks. These are, in effect, private domain names such as .mail or .corp that aren't currently resolvable using the public domain name system (DNS) -- but could soon be.

When that happens, digital certificate owners and Web server operators could face security problems and other headaches. CAs currently issue digital certificates for these internal domains. But if those same names become available as public gTLDs, the bad guys could get digital certificates for those domains for the purposes of running man-in-the-middle attacks and other security threats.

"Say .corp gets [released as a gTLD] -- a bad guy could go and get the certificate and then use it for an attack against the new gTLD after it becomes operational," Rowley said. While CAs are preparing for such scenarios, the risks still loom.

[ Search data offers more information that most realize. See Google Searches Show Seasons Shape Mental Health. ]

Beyond the digital certificate issue is a similar set of challenges for Web server operators at large. When their internal names such as .mail or .corp become part of the public Internet, costly networking conflicts and security holes could arise. As once-private domains get public counterparts, email clients, filesharing applications and other services will, to put it plainly, become confused. The only real solution is for administrators to essentially re-architect their networks, a process that could take some organizations several years because of budget, staffing and technical know-how.

"You're asking Web server operators to go in and reconfigure the servers, sometimes buy new hardware, hire brand-new staff and things like that in a very short timeframe," Rowley said.

While once considered a security and networking best practice, the use of internal names such as .corp is set to be wound down over the next several years. The CA/Browser Forum has published guidelines for deprecating internal server names by 2016, and trusted CAs will stop issuing certificates for internal names altogether as of November 2015. Current CAB Forum guidelines will also require CAs to stop issuing certificates for internal names within 100 days of being delegated as a new gTLD. That still leaves a considerable gap between the pending release of thousands of new gTLDs and the planned phase-out of internal names.

While ICANN itself has acknowledged the issue, CASC and others say the organization hasn't addressed the full scope of the potential problems. ICANN did not respond to emailed requests for comment.

PayPal recently sent ICANN a public letter expressing similar unease with the release of new gTLDs. Verisign has also published a letter and report on its own risk findings. PayPal noted that while the use of internal domain names may have been misguided in hindsight, it has been a widespread practice for two decades, often at the recommendation of hardware and software vendors. Moreover, abandoning the use of internal names can, as DigiCert's Rowley pointed out, be an arduous task. "For example, re-naming a Microsoft Active Directory Forest is often operationally impossible," the letter reads.

The PayPal letter continued by outlining the potential networking conflicts and ensuing fallout: "Consider a typical enterprise laptop configured to look for network services ending in .corp. What happens when that system roams to a public network, such as the user's home or a public Wi-Fi hotspot?" PayPal's answer: Dozens of services will start hemorrhaging sensitive corporate and personal data, such as usernames and passwords, network authentication credentials, and other information, if and when .corp and other internal names are released as gTLDs on the Internet.

"The potential for malicious abuse is extraordinary, the incidental damage will be large even in the absence of malicious intent, and such services will become immediate targets of attack as they inadvertently collect high-value credentials and private data from potentially millions of systems." PayPal said.

According to DigiCert's Rowley, the bulk of the potential problems would be mitigated if ICANN postponed the release of four new gTLDs: .ads, .bank, .corp and .mail. That would wipe out 90% of the potential problems in CASC's analysis; the other 10% are easily remediated, in the group's view.

PayPal's list, on the other hand, includes the top 10 current invalid domain queries, such as "local," "localhost" and "home," and focuses on the broader set of networking risks beyond digital certificates. Rowley concurred that those networking challenges will likely be the real burden as new gTLDs start rolling off the assembly line.

"CAs can take care of the certificate problem, and I think we have done so and done so quickly in a way that mitigates the problem," Rowley said. "What we can't take care of is getting the people with these networks to change in what amounts to overnight for them."

The question then is: Who will take care of it? In its report's conclusions, Verisign warned in no uncertain terms against moving forward on blind faith: "Addressing these issues doesn't simply mean publishing a specification and expecting the community to have immediately implemented it and be capable of responding to all operational and security corner cases conveyed therein."

Easily overlooked vulnerabilities could put your data and business at risk. Also in the new, all-digital 10 Web Threats special issue of Dark Reading: How hackers compromised an iOS developers' website to exploit Java plug-in vulnerabilities and attack Apple, Facebook, Microsoft and Twitter. (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
4/17/2013 | 4:56:27 PM
re: Domain Names Like .Food May Leave Bad Taste
What do you think?

If that happens, we'll be in the same pain game as others now find themselves.

It's would be beyond ridiculous for the top IT purveyors (Microsoft, etc.) to push IT for decades to use internal Domain names such as .local only to have someone like ICANN turn around one day and take that Domain extension Public.
SMB Kevin
50%
50%
SMB Kevin,
User Rank: Apprentice
4/15/2013 | 1:07:03 AM
re: Domain Names Like .Food May Leave Bad Taste
Austin, will you update your clients' networks if .local became a public domain extension?

-Kevin C.
InformationWeek
amitiekassis
50%
50%
amitiekassis,
User Rank: Apprentice
4/14/2013 | 7:34:14 PM
re: Domain Names Like .Food May Leave Bad Taste
up to I saw the draft which was of $5583, I did not believe that...my... mother in law woz really bringing home money part time on their apple labtop.. there aunts neighbour has been doing this 4 only twentey months and just now paid for the dept on their cottage and bought a great Fiat Multipla. this is where I went............ ZOO80. Gšťom
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
4/14/2013 | 5:40:37 PM
re: Domain Names Like .Food May Leave Bad Taste
As a consulting company, we have always used .local for our client's internal Domain names . Glad we do.

Hands off our .local ICANN!
diederik100
50%
50%
diederik100,
User Rank: Apprentice
4/14/2013 | 1:33:43 PM
re: Domain Names Like .Food May Leave Bad Taste
As if there aren't already enough Internet security risks. This isn't good and it should only be implemented if all security risks have been eliminated. It looks as if the Internet is becoming more and more unsafe. Look at all those Ddos attacks and the latest attack on Wordpress. See also http://weloveourhost.com/domai... for domain name registration and security.
ale41
50%
50%
ale41,
User Rank: Apprentice
4/13/2013 | 8:52:26 PM
re: Domain Names Like .Food May Leave Bad Taste
happens when that system roams to a public network, such as the user's home or a public Wi-Fi hotspoy.
http://www.nature-par-nature.c...
davelalande
50%
50%
davelalande,
User Rank: Apprentice
4/12/2013 | 2:47:40 PM
re: Domain Names Like .Food May Leave Bad Taste
This is really bad for business. Categorizing domain names has never worked. .com doesn't mean a commercial entity, .net doesn't mean network and .org or doesn't mean not for profit. This original idea was not well thought out and there is no global policing organization to make sure people play within a stated domain extension, nor can there be.

A non-categorized domain name system like Simplified Domains with a 3-back system whereby you can enter anything within the browser and the period is placed "3-back" for you is the only way to legitimately expand the system. Simplified was proposed in the late 90's by RMI (Rocky Mountain Internet) and presented to ICANN in LA. Google simplified domains rmi to read more about it.

Since the current expansion process has been started, the after market for domain names has tanked. The value of .com's have fallen dramatically and anything else is hard to sell for any price. This is now a rich man's game and consumer are about to be completely confused with dot this and that strategy.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.