Latest news of the domain name industry

Recent Posts

Research finds homograph attacks on big brands rife

Kevin Murphy, January 22, 2018, Domain Tech

Apparent domain name homograph attacks against major brands are a “significant” problem, according to research from Farsight Security.

The company said last week that it scanned for such attacks against 125 well-known brands over the three months to January 10 and found 116,113 domains — almost 1,000 per brand.

Homographs are domains that look like other domains, often indistinguishable from the original. They’re usually used to phish for passwords to bank accounts, retailers, cryptocurrency exchanges, and so on.

They most often use internationalized domain names, mixing together ASCII and non-ASCII characters when displayed in browsers.

To the naked eye, they can look very similar to the original ASCII-only domains, but under the hood they’re actually encoded with Punycode with the xn-- prefix.

Examples highlighted by Farsight include baŋkofamerica.com, amazoṇ.com and fàcebook.com

Displayed as ASCII, those domains are actually xn--bakofamerica-qfc.com, xn--amazo-7l1b.com and xn--fcebook-8va.com.

Farsight gave examples including and excluding the www. subdomain in a blog post last week, but I’m not sure if it double-counted to get to its 116,113-domain total.

As you might imagine, almost all of this abuse is concentrated in .com and other TLDs that were around before 2012, judging by Farsight’s examples. That’s because the big brands are not using new gTLDs for their primary sites yet.

Farsight gave a caveat that it had not generally investigated the ownership of the homograph domains it found. It’s possible some of them are defensive registrations by brands that are already fully aware of the security risk they could present.

After long battle, first Bulgarian IDN domain goes live

Bulgarians finally have the ability to register domain names in their native Cyrillic script, after years of fighting with ICANN.

The domain Имена.бг, which translates as “names.bg” went live on the internet this week, according to local reports.

Bulgaria was one of the first countries to ask for a internationalized domain name version of its ccTLD, almost seven years ago, but it was rejected by ICANN in 2010.

The requested .бг was found too similar to Brazil’s existing Latin-script ccTLD .br. Evaluators thought the risk of phishing and other types of attacks was too high.

The requested string didn’t change, but ICANN processes were adapted to allow appeals and a new method for establishing similarity was established.

On appeal, .бг was determined to be less prone to confusion with .br than existing pairs of Latin ccTLDs are with each other, ergo should be approved.

Имена.бг does not yet directly resolve (for me at least) from the Google Chrome address bar. It’s treated as a web search instead. But clicking on links to it does work.

The new ccTLD, which is .xn--90ae in the DNS, was delegated last week.

The registry is Imena.bg (which also means “names.bg”), based in Sofia and partially owned by Register.bg, the .bg registry.

Despite the long battle, the success of .бг is by no means assured. IDNs have a patchy record worldwide.

It’s true that Russians went nuts for their .рф (.rf for Russian Federation) ccTLD during its scandal-rocked launch in 2010, but Arabic IDNs have had hardly any interest and the current boom in China seems to be largely concentrated on Latin-script TLDs.

.бг is expected to open for general registration in the fourth quarter.

I guess we’ll have to wait until at least next year to discover whether the concerns about confusion with .br were well-founded.

IDN .com hits the root

Eleven variants of .com and .net in non-Latin scripts joined the internet today.

Verisign’s whole portfolio of internationalized domain name new gTLDs were added to the DNS root at some point in the last 24 hours, and the company is planning to start launching them before the end of the year.

But the company has been forced to backtrack on its plans to guarantee grandfathering to thousands of existing [idn].com domains in the new domains, thereby guaranteeing a backlash from IDN domainers.

The eleven gTLDs are: .कॉम, .ком, .点看, .คอม, .नेट, .닷컴, .大拿, .닷넷, .コム, .كوم and .קוֹם. Scripts include Arabic, Cyrillic and Hebrew.

Verisign signed registry agreements with ICANN back in January, but has been trying to negotiate a way to allow it to give the owners of [idn].com domains first rights to the matching domain in the “.com” in the appropriate script.

The company laid out its plans in 2013. The idea was to reduce the risk of confusion and minimize the need for defensive registrations.

So what happened? Trademark lawyers.

Verisign CEO Jim Bidzos told financial analysts last week that due to conversations with the “community” (read: the intellectual property lobby) and ICANN, it won’t be able grandfather all existing [idn].com registrants.

All of the new IDN gTLDs will be subject to a standard ICANN Sunrise period, which means trademarks owners will have first dibs on every string.

If you own водка.com, and somebody else owns a trademark on “водка”, the trademark owner will get the first chance to buy водка.ком.

According to SeekingAlpha’s transcript, Bidzos said:

Based primarily on feedback from domain name community stakeholders, we have revised our IDN launch strategy. We will offer these new IDN top-level domains as standalone domain names, subject to normal introductory availability and rights protection mechanisms, available to all new gTLDs. This revised approach will not require ICANN approval and is designed to provide end users and businesses with the greatest flexibility and, for registrars, a simple and straightforward framework to serve the market.

Finally, we believe this approach should provide the best opportunity for increased universal acceptance of IDNs. We expect to begin a phased rollout of the IDNs towards the end of this year, and we’ll provide more information on our launch plans when appropriate.

Senior VP Pat Kane added on the call that the grandfathering provisions, which would have required ICANN approval, have been “taken out”.

The question now is whether Verisign will introduce a post-sunrise mechanism to give rights to [idn].com.

That would not be unprecedented. ICM Registry ran into similar problems getting its grandfathering program for .porn approved by ICANN. It wound up offering a limited, secondary sunrise period for existing .xxx registrants instead.

Bulgaria looking for an IDN registry operator

The Bulgarian government is looking for a company to run the registry for its recently awarded .бг internationalized domain name.

.бг is the Cyrillic equivalent of .bg, the nation’s existing ccTLD.

After a tortuous battle through ICANN’s IDN ccTLD Fast Track process — where it was repeatedly rejected for looking too much like Brazil’s .br — the string was finally approved after an appeal last October.

The RFP is being carried out by the Ministry of Transport, Information Technology and Communications and will be open for the next 90 days.

MTITC says the winner will be registry whose proposal most closely adheres to a “principles and requirements” document, which is currently a dead link on the ministry web site.

There’s no government money on offer, but the winner will be supported in its request to IANA for delegation of the TLD.

I gather that the bidding is open to any European Union company.

Verisign lays out ‘buy once’ IDN gTLD plans

Verisign has finally clarified how it proposes to let existing registrants of internationalized domain names grab the matching domains in its 12 forthcoming IDN gTLDs.

The company has applied for transliterations of .com in nine non-Latin scripts and .net in three, but its applications were light on details about existing registrants’ rights.

But today Verisign senior vice president Pat Kane outlined precisely how name allocations will be handled.

At first glance it sounds like good news for existing IDN registrants, particularly domainers whose investments in IDN .com and .net domains are about to become much more valuable.

If you already own a .com domain that is an IDN at the second level, you will have exclusive rights to that IDN string in all other .com transliterations, but not .net transliterations.

That works the other way around too: if you own the IDN .net domain, you get the matching second level in all of Verisign’s .net transliterations.

Owning the Chinese word for “beer” in Latin .com would not give you rights to the Thai word for “beer” in the Thai transliteration of .com, but you could buy the Chinese equivalent.

The rules seem to apply to future registrations too.

You could register the Hebrew for “beer” in the Hebrew transliteration of .com and you would also get the exclusive right to that Hebrew string in Latin .com.

There would be no obligation, and you wouldn’t lose your right to register matching domains if you chose not to immediately exercise it, Kane said. He wrote:

Two primary objectives in our strategy to implement new IDN gTLDs are, where feasible, to avoid costs to consumers and businesses from purely defensive registrations in these new TLDs, as well as to avoid end-user confusion.

It all sounds pretty fair to me, based on Kane’s blog post.

There’s a hint that trademark rights protection mechanisms may complicate matters, which has apparently been discussed in a letter to ICANN, but if it’s been published anywhere I’ve been unable to find a copy.

  • Page 1 of 2
  • 1
  • 2
  • >