Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:12 PM

Domain Names Like .Food May Leave Bad Taste

Symantec, Go Daddy, Trend Micro and other digital certificate authorities raise security, other concerns with ICANN about the pending release of new top-level domain names.

A group of the world's largest digital certificate authorities (CAs) is warning of potentially serious security and networking risks for businesses when Internet domain names ending in the likes of .food or .law soon join .com and other currently available suffixes.

The Internet Corporation for Assigned Names and Numbers (ICANN) is readying the release of thousands of new generic top-level domains (gTLDs). Approved domains could become available as soon as April 23. Therein lies an underlying cause of potential problems, according to DigiCert associate general counsel Jeremy Rowley.

"ICANN is moving a little too fast with these new gTLDs without really giving people time to get ready," Rowley said in an interview.

Rowley is a member of the CA Security Council (CASC) alongside executives from Symantec, Comodo, Entrust, GMO GlobalSign, Trend Micro and Go Daddy. While some Internet stakeholders have focused on marketing, brand and legal issues with the new domain names, CASC is raising its red flags about the common use of "internal names" by businesses when setting up and managing their private networks. These are, in effect, private domain names such as .mail or .corp that aren't currently resolvable using the public domain name system (DNS) -- but could soon be.

When that happens, digital certificate owners and Web server operators could face security problems and other headaches. CAs currently issue digital certificates for these internal domains. But if those same names become available as public gTLDs, the bad guys could get digital certificates for those domains for the purposes of running man-in-the-middle attacks and other security threats.

"Say .corp gets [released as a gTLD] -- a bad guy could go and get the certificate and then use it for an attack against the new gTLD after it becomes operational," Rowley said. While CAs are preparing for such scenarios, the risks still loom.

[ Search data offers more information that most realize. See Google Searches Show Seasons Shape Mental Health. ]

Beyond the digital certificate issue is a similar set of challenges for Web server operators at large. When their internal names such as .mail or .corp become part of the public Internet, costly networking conflicts and security holes could arise. As once-private domains get public counterparts, email clients, filesharing applications and other services will, to put it plainly, become confused. The only real solution is for administrators to essentially re-architect their networks, a process that could take some organizations several years because of budget, staffing and technical know-how.

"You're asking Web server operators to go in and reconfigure the servers, sometimes buy new hardware, hire brand-new staff and things like that in a very short timeframe," Rowley said.

While once considered a security and networking best practice, the use of internal names such as .corp is set to be wound down over the next several years. The CA/Browser Forum has published guidelines for deprecating internal server names by 2016, and trusted CAs will stop issuing certificates for internal names altogether as of November 2015. Current CAB Forum guidelines will also require CAs to stop issuing certificates for internal names within 100 days of being delegated as a new gTLD. That still leaves a considerable gap between the pending release of thousands of new gTLDs and the planned phase-out of internal names.

While ICANN itself has acknowledged the issue, CASC and others say the organization hasn't addressed the full scope of the potential problems. ICANN did not respond to emailed requests for comment.

PayPal recently sent ICANN a public letter expressing similar unease with the release of new gTLDs. Verisign has also published a letter and report on its own risk findings. PayPal noted that while the use of internal domain names may have been misguided in hindsight, it has been a widespread practice for two decades, often at the recommendation of hardware and software vendors. Moreover, abandoning the use of internal names can, as DigiCert's Rowley pointed out, be an arduous task. "For example, re-naming a Microsoft Active Directory Forest is often operationally impossible," the letter reads.

The PayPal letter continued by outlining the potential networking conflicts and ensuing fallout: "Consider a typical enterprise laptop configured to look for network services ending in .corp. What happens when that system roams to a public network, such as the user's home or a public Wi-Fi hotspot?" PayPal's answer: Dozens of services will start hemorrhaging sensitive corporate and personal data, such as usernames and passwords, network authentication credentials, and other information, if and when .corp and other internal names are released as gTLDs on the Internet.

"The potential for malicious abuse is extraordinary, the incidental damage will be large even in the absence of malicious intent, and such services will become immediate targets of attack as they inadvertently collect high-value credentials and private data from potentially millions of systems." PayPal said.

According to DigiCert's Rowley, the bulk of the potential problems would be mitigated if ICANN postponed the release of four new gTLDs: .ads, .bank, .corp and .mail. That would wipe out 90% of the potential problems in CASC's analysis; the other 10% are easily remediated, in the group's view.

PayPal's list, on the other hand, includes the top 10 current invalid domain queries, such as "local," "localhost" and "home," and focuses on the broader set of networking risks beyond digital certificates. Rowley concurred that those networking challenges will likely be the real burden as new gTLDs start rolling off the assembly line.

"CAs can take care of the certificate problem, and I think we have done so and done so quickly in a way that mitigates the problem," Rowley said. "What we can't take care of is getting the people with these networks to change in what amounts to overnight for them."

The question then is: Who will take care of it? In its report's conclusions, Verisign warned in no uncertain terms against moving forward on blind faith: "Addressing these issues doesn't simply mean publishing a specification and expecting the community to have immediately implemented it and be capable of responding to all operational and security corner cases conveyed therein."

Easily overlooked vulnerabilities could put your data and business at risk. Also in the new, all-digital 10 Web Threats special issue of Dark Reading: How hackers compromised an iOS developers' website to exploit Java plug-in vulnerabilities and attack Apple, Facebook, Microsoft and Twitter. (Free with registration.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/17/2013 | 4:56:27 PM
re: Domain Names Like .Food May Leave Bad Taste
What do you think?

If that happens, we'll be in the same pain game as others now find themselves.

It's would be beyond ridiculous for the top IT purveyors (Microsoft, etc.) to push IT for decades to use internal Domain names such as .local only to have someone like ICANN turn around one day and take that Domain extension Public.
SMB Kevin
SMB Kevin,
User Rank: Apprentice
4/15/2013 | 1:07:03 AM
re: Domain Names Like .Food May Leave Bad Taste
Austin, will you update your clients' networks if .local became a public domain extension?

-Kevin C.
User Rank: Apprentice
4/14/2013 | 7:34:14 PM
re: Domain Names Like .Food May Leave Bad Taste
up to I saw the draft which was of $5583, I did not believe that...my... mother in law woz really bringing home money part time on their apple labtop.. there aunts neighbour has been doing this 4 only twentey months and just now paid for the dept on their cottage and bought a great Fiat Multipla. this is where I went............ ZOO80. Gom
User Rank: Apprentice
4/14/2013 | 5:40:37 PM
re: Domain Names Like .Food May Leave Bad Taste
As a consulting company, we have always used .local for our client's internal Domain names . Glad we do.

Hands off our .local ICANN!
User Rank: Apprentice
4/14/2013 | 1:33:43 PM
re: Domain Names Like .Food May Leave Bad Taste
As if there aren't already enough Internet security risks. This isn't good and it should only be implemented if all security risks have been eliminated. It looks as if the Internet is becoming more and more unsafe. Look at all those Ddos attacks and the latest attack on Wordpress. See also http://weloveourhost.com/domai... for domain name registration and security.
User Rank: Apprentice
4/13/2013 | 8:52:26 PM
re: Domain Names Like .Food May Leave Bad Taste
happens when that system roams to a public network, such as the user's home or a public Wi-Fi hotspoy.
User Rank: Apprentice
4/12/2013 | 2:47:40 PM
re: Domain Names Like .Food May Leave Bad Taste
This is really bad for business. Categorizing domain names has never worked. .com doesn't mean a commercial entity, .net doesn't mean network and .org or doesn't mean not for profit. This original idea was not well thought out and there is no global policing organization to make sure people play within a stated domain extension, nor can there be.

A non-categorized domain name system like Simplified Domains with a 3-back system whereby you can enter anything within the browser and the period is placed "3-back" for you is the only way to legitimately expand the system. Simplified was proposed in the late 90's by RMI (Rocky Mountain Internet) and presented to ICANN in LA. Google simplified domains rmi to read more about it.

Since the current expansion process has been started, the after market for domain names has tanked. The value of .com's have fallen dramatically and anything else is hard to sell for any price. This is now a rich man's game and consumer are about to be completely confused with dot this and that strategy.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to This issue does not affect: QNAP...
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.