Generic TLDs Threaten Name Collisions and Information Leakage 115
CowboyRobot writes "As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than 1,000, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies. Two major issues could cause problems for companies: If domain names that are frequently used on a company's internal network — such as .corp, .mail, and .exchange — become accepted gTLDs, then organizations could inadvertently expose data and server access to the Internet. In addition, would-be attackers could easily pick up certificates for domains that are not yet assigned and cache them for use in man-in-the-middle attacks when the specific gTLD is deployed."
Another way to look at it: why were they using invalid domains in the first place?
Why not use real domains instead? (Score:4, Informative)
It's much better to use a real domain which you actually own and will remember to renew.
This is a BS article and masks the real issue (Score:5, Informative)
This is a BS article.
The main concern incluse using internal gTLDs for internal use. In the article, they call this a "split brain DNS". When I wrote the IETF Draft, we called it "split horizon DNS". Implementing it requires specific modifications to a DNS server so that it can be both a forwarding server and an authoritative server at the "." level, and there is practically no DNS server out there which implements it. Certainly, the top 4 don't. In addition, browser completion into ".com" by default means that any typo will take you outside the company, so it's an idiotic example anyway.
The real issue is that if there are 1000 TLDs, all the companies that stupidly equate the DNS namespace with the trademark namespace will, in order to "defend their trademarks" feel they have to register their trademarks as domain names with 1000's of registrars. The don't like this.
As a pointed example, we used to maintain the top level DNS servers for free; it was a volunteer thing, and Paul Vixie did most of the work. Then the idiots at Dupont went off and registered over 400 domains in a single day, and that was it; that was too much work to expect the volunteers to do for free, and so they decided not to do so. Thereafter you paid for registration. Then people decided they could make a good profit at it, and instead of paying for a change to the TLD subdelegation record. And the whole "let's rent domain subdelegations of TLDs instead of selling them was born".
So back to Dupont... 400 domains * 1000 registrars * $30 average per year = $12M
Expect legislation protecting trademarks across all TLDs to follow shortly on this whole fiasco.
why were they using invalid domains in the first.. (Score:4, Informative)
Because they could. Because it was an easy solution. Because no one could imagine that ICANN would someday be so broken that
Re:Whats worse.. (Score:4, Informative)
Q: "Why were they using invalid domains in the first place?"
A:Two words: "Active Directory". .corp .labs .legal
Planning a non-Internet accessible directory infrastructure with AD's Internet namespace rooting has commonly resulted in the deliberate planning for alternative, corporate designated roots, by IT departments. I'm not saying it is right or wrong, but I ran across this frequently in years consulting and doing pen/vuln.