ICANN Might Cause A Security Nightmare

ICANN Might Cause A Security NightmareAccording to an announcement on January 11, 2012, after more than seven years of planning, the Internet Corporation for Assigned Names and Numbers (ICANN) has initiated a process that could trigger a dramatic expansion of the Internet.  Starting on January 12, 2012, ICANN will accept applications for new generic top-level domains (gTLDs).  This might sound like a great idea, but it could also be fraught with trouble.

ICANN is the organization that manages and controls the top level domains of the Internet.  They are the ones who make sure that we have .com, .gov, .org, .edu and 18 other gTLDs.  This new announcement intends to expand the top level domains to anything you want, including companies and famous brands.  There is an application process and $185,000 fee to request a name, so not everyone will apply.

ICANN believes this will open up the Internet to more innovation by providing an expansion to companies, brands and include words in non-Latin languages, such as Cyrillic, Chinese or Arabic.  So that means I could create a domain called .microsoft or .ford in addition to the existing microsoft.com or ford.com.  Unfortunately this makes it a lot easier to spoof people or run phishing scams.  This could be a hackers dream and it could cause problems for the legitimate companies.

Here’s why.  A hacker or criminal could spoof a known brand by directing people to any site that seems to be legit.  It’s bad enough with links in email that send you to a bogus site that looks real, but now the domain name could look real.  This makes it easy to deliver malware or collect sensitive information like credit cards numbers.  How do you know what’s legit and what’s not?

This also becomes a problem for companies.  They may have to monitor any site that looks like theirs.  Currently most companies buy their company name with .com, .org and .net.  If they are outside of the United States, they will also buy the country name upper level domain, like .ca or .jp.  With this new proposal, companies may have to buy all kinds of domains defensively to ensure no one can use them.  With potentially 1000 new top level domains available each year, this becomes a costly proposition.

Of course, a company can and should implement authentication and certification services to ensure its customers go to a legitimate site.  For anyone doing online transactions, they already use HTTPS and certificates, but that may not be enough. 

According to a report on NPR, Jon Leibowitz, chairman of the Federal Trade Commission (FTC), took issue with ICANN’s comments that there is pent up demand for this.  “My sense is that a lot of this demand is just absolutely artificial and largely imagined by the ICANN board.  We’re an agency that’s required to protect consumers, and from our perspective, this is a potential disaster and we have an obligation … to speak out.”

Last month, the FTC sent ICANN a long letter detailing its concerns, including the potential for an exponential increase in phishing and other scams.  Leibowitz says he is not assured by ICANN’s pledge to self-police or its promises to protect companies from brand infringement. The group’s existing database of website owners, Leibowitz says, already poses problems to law enforcement.

“[There are] websites registered to God, to Mickey Mouse, to Bill Clinton,” he says. “And of course, if you’re a scammer, if you’re in the business of ripping off consumers, why would you give accurate information?”

It will be interesting to see how this plays out, but expanding the Internet domain names like this doesn’t seem like the best idea.  I am all for expanding beyond Latin-based characters and adding more domains, but making things easier for hackers and criminals doesn’t make sense.

 

Photo credit ivanpw

Leave a Reply