Latest news of the domain name industry

Recent Posts

Is the .home new gTLD doomed? ICANN poses study of security risks

Kevin Murphy, May 22, 2013, 09:05:56 (UTC), Domain Tech

ICANN has set up a study into whether certain applied-for new gTLD strings pose a security risk to the internet, admitting that some gTLDs may be rejected as a result.

Its board of directors on Saturday approved new research into the risk of new gTLD clashes with “internal name certificates”, saying that the results could kill off some gTLD applications.

In its rationale, the board stated:

it is possible that study might uncover risks that result in the requirement to place special safeguards for gTLDs that have conflicts. It is also possible that some new gTLDs may not be eligible for delegation.

Internal name certificates are the same digital certificates used in secure, web-based SSL transactions, but assigned to domain names in private, non-standard namespaces.

Many companies have long used non-existent TLDs such as .corp, .mail and .home on their private networks and quite often they obtain SSL certs from the usual certificate authorities in order to enable encryption between corporate resources and their internal users.

The problem is that browsers and other applications on laptops and other mobile devices can attempt to access these private namespaces from anywhere, not only from the local network.

If ICANN should set these TLD strings live in the authoritative DNS root, registrants of clashing domain names might be able to hijack traffic intended for secure resources and, for example, steal passwords.

That’s obviously a worry, but it’s one that did not occur to ICANN’s Security and Stability Advisory Committee until late last year, when it immediately sought out the help of the CA/Browser Forum.

It turned out the the CA/Browser forum, an alliance of certificate authorities and browser makers, was already on the case. It has put in new rules that state certificates issued to private TLDs that match new gTLDs will be revoked 120 days after ICANN signs a contract with the new gTLD registry.

But it’s still not entirely clear whether this will sufficiently mitigate risk. Not every CA is a member of the Forum, and some enterprises might find 120 day revocation windows challenging to work with.

Verisign recently highlight the internal certificate problem, along with many other potential risks, in an open letter to ICANN.

But both ICANN CEO Fadi Chehade and the chair of SSAC, Patrick Falstrom, have said that the potential security problems are already being addressed and not a reason to delay new gTLDs.

The latest board resolution appears to modify that position.

The board has now asked CEO Fadi Chehade and SSAC to “consider the potential security impacts of applied-for new-gTLD strings in relation to this usage.”

The Root Server Stability Advisory Committee and the CA/Browser Forum will also be tapped for data.

While the study will, one assumes, not be limited to any specific applied-for gTLD strings, it’s well known that some strings are more risky than others.

The root server operators already receive vast amounts of erroneous DNS traffic looking for .home and .corp, for example. If any gTLD applications are at risk, it’s those.

There are 10 remaining applications for .home and five for .corp.

Tagged: , , , , , , ,

Comments (3)

  1. This should not be a surprise to anyone. .home and .corp were explicitly on the list of most popular invalid new TLDs as per my article at:

    http://www.circleid.com/posts/20090618_most_popular_invalid_tlds_should_be_reserved/

    nearly 4 years ago, which was then followed up by the the ICANN SSAC in advisory document SAC045:

    http://www.icann.org/en/groups/ssac/documents/sac-045-en.pdf

    which stated, in the conclusion, that “…ICANN should coordinate with the community to identify principles that can serve as the basis for prohibiting the delegation of strings that may introduce security or stability problems at the root level of the DNS.”

    Of course, ICANN staff never created an actual list of reserved TLDs *before* opening up the new TLD process, another sign that they rushed the process.

    • Kevin Murphy says:

      To be fair to ICANN, the cert issue is slightly different to the issue highlighted by your original insight.

      The Guidebook did take the invalid TLD traffic into account, albeit mainly from a stability, rather than security, angle.

  2. Rubens Kuhl says:

    http://tools.ietf.org/html/draft-cheshire-dnsext-multicastdns-02 is a document from 2003 naming .home and .corp as TLDs that shouldn’t be delegated, alongside .intranet, .internal and .private (no application for these).

    This I-D is now an RFC, http://tools.ietf.org/html/rfc6762 , and included .lan somewhere between 2003 and 2013. .home and .corp are strings long known to be problematic.

Add Your Comment