Latest news of the domain name industry

Recent Posts

It’s official: Verisign has balls of steel

Kevin Murphy, October 18, 2013, 17:21:54 (UTC), Domain Registries

Verisign has spent the last six months telling anyone who will listen that new gTLDs will kill Japanese people and cause electricity grids to fail, so you’d expect the company to be a little coy about its own activities that (applying Verisign logic) endanger life and the global economy.

But apparently not.

Verisign today decided to use the same blog it has been using to play up the risks indicated by NXDOMAIN traffic in new gTLDs to plug its own service that actively encourages people to register error-traffic domains.

The company has launched DomainScope, which combines several older “domain discovery” tools — DomainFinder, DomainScore and DomainCountdown — under one roof.

According to an unsigned corporate blog post, with my emphasis:

DomainScope enables users to discover domain name registration opportunities through learning about the recent history of a domain name, understanding a domain name’s DNS traffic patterns, and knowing which domains are available that are receiving traffic.

That’s right, Verisign is giving malicious hackers the ability, for free, to find out which .com, .net and .tv domains currently receive NXDOMAIN traffic, so that the hackers can pay Verisign to register them and cause mayhem.

I used the service today see what mischief might be possible, and hit paydirt on my first query.

Typing in “mail” as the search query, ordering the results by “Traffic Score” — a 1 to 10 measure of how much error traffic a domain already gets — I got these results:

You’ll notice (click to enlarge if you don’t) that the third result, with a 9.9 out of 10 score, is netsoolmail.net.

That caught my attention for obvious reasons, and a little Googling seems to confirm that it’s a typo of netsolmail.net, a domain Network Solutions uses for its mail servers (or possibly a spam filter).

Network Solutions is of course a top-ten registrar with millions of mostly high-end customers.

So what?

Well, if Verisign’s arguments are to be believed, this poses a huge risk of information leakage — something that should be avoided at all costs in new gTLDs but which is apparently just fine in .com and .net.

Emails set to go to netsoolmail.net will fail today due to an NXDOMAIN response. But what happens when somebody registers that domain (which is likely to happen about 10 minutes after this post is published)?

Do they suddenly start receiving thousands of sensitive emails intended for NetSol’s customers?

Could NetSol’s spam filters all start to fail, causing SOMEBODY TO DIE! from a dodgy Viagra?

I don’t know. No clue. Probably not.

But there’s a risk, right? Even if it’s a very small risk (as Verisign argues), shouldn’t ICANN be preventing Verisign from promoting these domains, maybe using some kind of massive block-list?

Data leakage is important enough to Versign that it was the headline risk it posed in a recent report aimed at getting new gTLDs delayed.

In an August “technical report” entitled “New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis”, somebody from Verisign wrote (pdf):

once delegated, the registrants under new gTLDs have the ability to register specific domains for targeted collisions

This form of information leakage can violate privacy of users, provide a competitive advantage between business rivals, expose details of corporate network infrastructures, or even be used to infer details about geographical locations of network assets or users

What the report fails to mention is that registrants today have this ability, and that Verisign is actively encouraging the practice.

In Yiddish they call what Verisign has done today chutzpah.

In British English, we call it taking the piss.

Tagged: ,

Comments (8)

  1. Rubens Kuhl says:

    I wonder if this violates the agreement provision against front-running or not.

  2. The domain is still available.

    @Rubens: It’s not a registrar registering lookups by users on their website, is it? 😉

  3. Jonathan Zuck says:

    Kevin,
    I guess I’m a little confused. Are you actually equating the external resolution of an established internal url, including one which has associated certificates, with typo squatting? It’s pretty unlikely I have a typo encoded into my legacy software, intranet portal or browser favorites.

    Wasn’t the critical distinction outlined here?
    http://forum.icann.org/lists/comments-name-collision-05aug13/pdfgGgQZ2Oxuv.pdf

    • Kevin Murphy says:

      “Pretty unlikely”, but still possible, right?

    • Kevin Murphy says:

      In the netsoolmail.net example, I think it might actually be quite likely that the typo is encoded into some software somewhere, given that it seems to be a mail infrastructure domain, not really used in places where a human needs to type something (such as a web or email address).

      My main point is that the end result is or could be the same as what Verisign says it thinks will happen with new gTLDs — data leaks to the wrong people.

      If that’s a security problem worth delaying new gTLDs for, why on earth is Verisign helping bad guys do it in its own legacy gTLDs?

    • Rubens Kuhl says:

      Most of the reliability issues Verisign claims can happen with new gTLDs, like people dying, are not tied to internal certificates. The internal certificates is a well-known issue that was dealt with a simple mitigation, the 120-day to revoke them. The same reliability issues can be induced with either previously registered or never registered SLDs.

  4. Collabo says:

    Wow, good catch Kevin. This is definitely a security risk and could easily be taken advantage of. It’s a very easy task to create an email “catch all” for a domain and then gather up confidential emails (with typos).

    Still a pretty neat tool though 😉

  5. In fact this can be performed with almost any domain that was in use earlier, in fact we once connected 2000 of our domains to mx-records and receive daily about 7000 emails (beside 500K spam mesages).

Add Your Comment