Latest news of the domain name industry

Recent Posts

Bit-squatting – the latest risk to domain name owners

Kevin Murphy, July 26, 2011, Domain Tech

Forget phishing, forget cybersquatting, forget typosquatting, high-value domain name owners may have a whole new threat to worry about – “bit-squatting”.

This appears to be the conclusion of fascinating new research to be presented by Artem Dinaburg at the Black Hat and DEF CON hacker conferences in Las Vegas next week.

Defective internet hardware, it turns out, may be enabling a whole new category of typosquatting that could prove worrying for companies already prone to domain name abuse.

According to a summary of Dinaburg’s research, RAM chips can sometimes malfunction due to heat or radiation, resulting in “flipped bits”, where a 1 turns into a 0 or vice-versa.

Because the DNS uses ASCII encoding, a query containing a single flipped bit could actually send the user to a completely different domain name to the one they intended to visit.

To test the theory, Dinaburg appears to have registered the typo domain name mic2osoft.com. While it’s not visually confusing or a likely typo, in binary it is only one bit different to microsoft.com.

The ASCII binary code for the digit 2 is 00110010, which is only one bit different to the lower-case letter r, 01110010.

The binary for the string “microsoft” is:

011011010110100101100011011100100110111101110011011011110110011001110100

and the binary encoding for “mic2osoft” is (with the single changed bit highlighted):

011011010110100101100011001100100110111101110011011011110110011001110100

Therefore, if that one bit were to be accidentally flipped by a dodgy chip, the user could find themselves sending data to the bit-squatter’s domain rather than Microsoft’s official home.

I would assume that this is statistically only a concern for very high-traffic domains, and only if the bit-flipping malfunction is quite widespread.

But Dinaburg, who works for the defense contractor Raytheon, seems to think that it’s serious enough to pay attention to. He wrote:

To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates.

I hope to convince the audience that bit-squatting and other attacks enabled by bit-flip errors are practical, serious, and should be addressed by software and hardware vendors.

His conference presentations will also discuss possible hardware and software solutions.

For large companies particularly at risk of typosquatting, the research may also present a good reason to conduct a review of their trademark enforcement strategies.

I’m not going to be in Vegas this year, but I’m looking forward to reading more about Dinaburg’s findings.

The annual Black Hat and DEF CON conferences are frequently the venues where some of the most beautifully creative DNS hacks are first revealed, usually by Dan Kaminsky.

Kaminsky is not discussing DNS this year, judging by the agendas.

The conferences were founded by Jeff Moss, aka The Dark Tangent, who joined ICANN as its chief security officer earlier this year.

Why we won’t see dotless domain names

Kevin Murphy, July 20, 2011, Domain Tech

Will http://google ever work?

Will any of the hundreds of .brand gTLDs expected to be approved by ICANN in its first round of new top-level domains resolve without dots?

Will users be able to simply type in the name of the brand they’re looking for into their browser’s address bar and have it resolve to the company’s official site?

Probably not, according to the experts.

ICANN’s Applicant Guidebook answers this question, but you need to know where to look, and to know a little about DNS records, to figure it out what it actually says.

Section 2.2.3.3 of the Guidebook (page 75 of the May 30 PDF) provides a list of the permissible contents of a new gTLD zone.

Specifically not allowed are A and AAAA records, which browsers need in order to find web sites using IPv4 and IPv6 respectively.

“To facilitate a dotless domain, you would need to place an A or a AAAA record in the zone, and these are not on the list of permitted record types,” said Kim Davies, root zone manager at IANA. “The net result is a default prohibition on dotless domains.”

Applicants may be able to obtain A/AAAA records if they specifically ask for them, but this is very likely to trigger an Extended Evaluation and a Registry Services Review, according to Davies and the Guidebook.

There’s an additional $50,000 fee for a Registry Services Review, with no guarantee of success. It will also add potentially months to the application’s processing time.

(Incidentally, ICANN has also banned DNS “wildcards”. You cannot have an infinite SiteFinder-style catch-all at the second level, you need to allocate domain names individually.)

Applicants that successfully obtain A/AAAA records, enabling dotless domains, would face a far greater problem than ICANN’s rules – endpoint software probably won’t support them.

“As it stands, most common software does not support the concept,” Davies said. “There is a common assumption that fully qualified domain names will have at least one dot in them.”

You can type IP addresses, host names, domain names or search terms into browser address bars, and dots are one of the ways the software figures out you’re looking for a domain.

You can test this today. There are already a handful of top-level domains, probably fewer than 20 and all ccTLDs, that have implemented an A record at the TLD level.

On some platforms, you may be able to get URLs such as http://io and http://ac to work.

They don’t revolve on any Windows 7 browser I’ve tested (Firefox/IE/Chrome), but I’d be interested in hearing your experiences, if you’d be so good as to leave a comment below.

Given the lack of software support, it may be a poor use of time and resources to fight ICANN for a dotless gTLD that most internet users won’t even be able to resolve.

According to a recent CircleID article by Paul Vixie, chairman of the Internet Systems Consortium, many browsers treat domains without dots as local resources.

Only if the browser’s “DNS search list” cannot find a local resource matching the dotless TLD will it then go out to the internet to look for it.

In some organizations, a local resource may have been configured which matches a new gTLD. There may be a local server called “mail” for example, which could clash with a .mail gTLD.

A recent article in The Register quoted security people fretting about what would happen if a malicious hacker somehow persuaded ICANN to approve a string such as .localhost or .lan.

These worries appear to be largely reliant on an erroneous belief that getting your hands on a gTLD is going to be as simple as registering a domain name.

In reality, there’s going to be months of technical evaluation – conducted in a fish-bowl, subject to public comment, applicant background checks and, in the case of a request for A records, the aforementioned Registry Services Review – before a gTLD is approved.

If everything works according to plan, security problems will be highlighted by this process and any gTLDs that would break the internet will be caught and rejected.

So it seems very unlikely that we’re going to see domains without dots hitting the web any time soon.

Domain names are designed to help people find you. Dotless domains today will not do that, even if ICANN does approve them.

Firm offers .xxx trademark checks

Kevin Murphy, July 7, 2011, Domain Tech

We’ve seen domain “reservation” services and “preregistration” services, now the soon-to-launch .xxx top-level domain is getting a pre-sunrise trademark verification service.

Trademark Fact Check is a new offering from EnCirca president Tom Barrett and Mark Kudlacik, formerly of NetNames and now president of Checkmark Network.

It’s an automated tool for checking whether a trademark will qualify for the .xxx sunrise period – and the sunrise periods of other new gTLDs – according to the service’s web site.

The output, among other things, consists of a list of domain names you qualify to register in the sunrise.

It supports about 30 national jurisdictions.

Checks will cost $10 a pop, but Barrett and Kudlacik think they can save applicants money.

If a sunrise application is rejected due to a filing error, the only option is to pay again to file again, which for .xxx is likely to cost at least $200 with the cheapest registrars.

There’s a money back guarantee if Trademark Fact Check says an application will pass and it does not.

I’m not sure how much of a market there will be for this kind of thing when the new gTLDs start to launch in 2013 and sunrise trademark validation will be largely handled by the Trademark Clearinghouse.

Firefox gives greater visibility to domains

Kevin Murphy, June 27, 2011, Domain Tech

Mozilla has reportedly dropped the http:// from the address bar in the latest pre-release version of the Firefox browser, in order to make the domain more prominent.

The changes, spotted over at ConceivablyTech, would also remove the trailing slash from URLs and present everything other than the top and second level of the domain in gray text.

So instead of

http://www.example.com/

you’d see something like

www.example.com

Google Chrome already does something similar, although it presents the lower levels of the domain in the same shade text as the top two.

The blog reported that the https:// will continue to be displayed for encrypted pages.

Earlier this year, Google was reported to be working on a Chrome UI that dropped the address bar altogether, which struck me as one of the more idiotic ideas — from a choice of many — to come out of the company.

Find domain keywords with new VeriSign apps

Kevin Murphy, June 10, 2011, Domain Tech

VeriSign has released a suite of cute applications for visualizing keywords mined from newly registered domain names.

DomainView has been around for a few months as a tag cloud on the VeriSign web site, but it’s now also an embeddable web widget and a scrolling ticker plug-in for Firefox and Chrome browsers.

The service samples recently registered .com and .net domains for recurring keywords, and spits those keywords back out, along with a short list of related domains that are available to register.

The company is planning to release an iPhone app in the near future, and there’s an API for developers to use today.

I’ve installed the ticker. It’s a nice idea, but it does get a bit distracting after a few minutes. Thankfully, it can be hidden through the options menu.

You can find the new applications here.