ICANN Domain Expansion Could Increase Phishing

Orome1 writes "The ICANN board gave final approval to what some are calling 'the most dramatic change to the Internet in four decades,' allowing the expansion of new TLDs. Some argue this ICANN initiative could force a land grab of domains by businesses to protect their company reputation. However, they aren't the only ones who are likely to try to snag these new top level domains. There's a very legitimate concern that cybercriminals could also seek these new domains to create legitimate looking websites using well-known brand names. These can then be used for phishing attacks or delivery of Trojan malware to unsuspecting visitors."

First TLD to go?

[Flyerman]

.bank .banking .finance .lending .mortgage .ach

Re:First TLD to go?

[archer,+the]

Nope. Trojans on .trojan!

Re:First TLD to go?

[kpoole55]

it would be more like .rbc, .td, .scotia, .cibc, that sort of thing in Canada and maybe .citibank, .usbank, or some such in the US.

Re:First TLD to go?

[sarysa]

Close, but my predictions for frontrunners (on the same line of thought): .viagra .cialis ...

Re:First TLD to go?

Obviously phishing sites should be using the .con TLD: citibank.con, barclays.con etc. Truth in advertising and cunning typo-squatting at the same time!

Re:First TLD to go?

[robot256]

I'm sure somebody would appreciate a TLD for condoms...

Re:First TLD to go?

[jperl]

I would guess .shop

Re:First TLD to go?

[archer,+the]

Unfortunately, I actually meant computer trojans, not the prophylactic.

Re:First TLD to go?

[houstonbofh]

Better would be .c0m as with caps (which are disregarded ) it is almost unnoticeable. .C0M

Re:First TLD to go?

sex

Re:First TLD to go?

Wouldn't it be Trojans on .troy?

Re:First TLD to go?

[flimflammer]

It was said earlier that each gTLD to be sold will be manually handled and the registrant needs to prove that they have legitimate claim to the name, not to mention there is like a $200k price tag. So I have my doubts that many phishing sites will be getting them.

Re:First TLD to go?

[joebok]

I've already got a lock on .TrustMe

Re:First TLD to go?

[digitig]

And the first turf wars will probably be over .cola

Re:First TLD to go?

Plus even if you do get it, you'd still have to beat phishing site detectors. IE9 anything but unobtrusive when you visit a known phishing site, and scammers paying that premium is bound to attract a lot of attention - and get themselves blocked, fast.

Re:First TLD to go?

[mjwalshe]

actually it is nearly $200k to apply not counting the cost of the application and the cost to run a robust infrastructure - from experience with .coop they will mandate multiple redundant servers in 4 continents probably.

Re:First TLD to go?

[makubesu]

Personally I think the real citibank should get the .con tld.

Re:First TLD to go?

.corn

Nuff said.

Re:First TLD to go?

[maxwell+demon]

To piss off AVM, get "box" :-)

Explanation: Every FritzBox can be accessed locally using the domain name "fritz.box" - which of course implies that this would clash with a public TLD named "box". And since AVM almost certainly doesn't have a trade mark on "box", they couldn't even sue you for it (them might be willing to buy it, though).

Re:First TLD to go?

[Flyerman]

that's a bit like someone buying local, which i hope is protected, good god.

Re:First TLD to go?

I'd prefer .corn -- google.corn, facebook.corn.... the IDN homeograph attacks like ".cm" are nice, but don't reliably work in browsers anymore: http://en.wikipedia.org/wiki/IDN_homograph_attack

Re:First TLD to go?

Obviously phishing sites should be using the .con TLD: citibank.con, barclays.con etc. Truth in advertising and cunning typo-squatting at the same time!

How about GOV.con

As stated in the original story:

[Luniz]

"It will cost $185,000 to apply, and individuals or organizations will have to show a legitimate claim to the name they are buying." I do not think that Peggy will be able to set up .discovercard :p

Re:As stated in the original story:

I agree: this article is the epitome of FUD. Fear and uncertainty in title: "could increase phishing [emphasis mine]." Doubt from a lack of information from the proponents of the change. TFA was written with a very one-sided point of view, giving no indication that anyone had any thoughts about the potential problems. Does the article writer really think that the 13-1 vote was made by people who hadn't thought about all the potential problems and solutions to said problems?

Re:As stated in the original story:

Does the article writer really think that the 13-1 vote was made by people who hadn't thought about all the potential problems and solutions to said problems?

As a matter of fact, they haven't. The only reason ICANN went through with this was that it's head is soon to retire and he wanted to be remembered. The decision to allow this is the worst decision ICANN has ever made.

Re:As stated in the original story:

[localman57]

Why?

Re:As stated in the original story:

[Konsalik]

Agree, also it will cost $25,000 per annum on top of that. I think people jumping on the "this is bad" idea before reading all the facts. Go read this. Spending $200,000 and waiting 9-20 months just to get it taken down a week later isn't worth it, even for high rolling criminals.

Re:As stated in the original story:

[Xest]

Out of interest, does anyone know at $185k a pop what exactly ICANN will be doing with it's new found millions?

Re:As stated in the original story:

[Inda]

Coke and hookers, my friend. Coke and hookers.

Re:As stated in the original story:

Does the article writer really think that the 13-1 vote was made by people who hadn't thought about all the potential problems and solutions to said problems?

Have you ever seen the US Congress? haha. yes, I know ICANN is not US Congress. For now, let the sheep fear the million dollar waving cyber criminals.

Re:As stated in the original story:

OK, so even if I grant you that, how do you explain the other 12 votes? I mean, it is hard to argue with your well thought out list of reasons as to why this is a bad idea, but I'll give it a shot: This is a good idea.

Re:As stated in the original story:

[HuckleCom]

Does everyone seriously think the cost will remain the same?
What happens when a company/brand goes belly up and the TLD is auctioned off?
Most of us don't trust ICANN as far as we can throw, this move is just point in case, the restrictions will loosen .

Re:As stated in the original story:

[N0Man74]

Indeed, I came here to say the same thing. First of all, it has an absurdly high cost of $185,000. That is a price that is going to discourage even many large legitimate corporations, let alone cybercriminals that could be just throwing the money away once their TLD becomes blacklisted.

Secondly, this application *does* have a vetting process to ensure that you have the right to the domain name you are requesting.

Complete FUD.

Re:As stated in the original story:

[UnknowingFool]

Hookers and blow?

Re:As stated in the original story:

[TrueSatan]

$185,000 is the initial charge they quoted but also with an ongoing predicted charge of a further $100,000 p.a. which, if anything, will increase over time.

Re:As stated in the original story:

[Lumpy]

Putting the final parts in place at the base on skull island for the earth core bomb?

What? Its easy to assume that ICANN is evil, just look at their past.

Re:As stated in the original story:

[Rary]

The article may be FUD, but the whole idea is pointless. What value would a new TLD add to the Internet anyway? For that matter, what value do the existing TLDs add to the Internet? If they were actually used properly, and therefore had any meaning, then they would add value. But they aren't used properly, and hence have absolutely no meaning. They should be abolished completely. Why do I need to type "slashdot.org" (or "slashdot.com", or "slashdot.net", which all take me to the same place). Why not just type "slashdot"? What value does having ".org" (and ".com" and ".net") introduce, other than generating more revenue for the domain registrar?

This was introduced for one reason: to put $185,000 per TLD into ICANN's pocket, and generate additional revenue for domain registrars.

Re:As stated in the original story:

[Qzukk]

The money isn't in using the TLD yourself, the money is in buying the TLD then reselling it to spammers and phishers.

That's what I'd do if I registered .c0m, anyway. Why dirty my own hands if someone else is willing to pay me to let them dirty theirs?

Re:As stated in the original story:

[kvezach]

And blackjack.

Re:As stated in the original story:

[jfengel]

The original TLDs are a quaint historical artifact, from a gentler time on teh intarwebz. It established a few spheres of control, but it wasn't particularly well thought out, but they weren't expecting the kind of land rush in domain names. This was back when they thought that 4 billion IP addresses was an absurdly large number, orders of magnitude more than would ever be needed.

It got famous all at once, and it quickly became apparent that it was mostly absurd. "dot-com" became synonymous with the web, a meaningless semantic particle in 99% of cases.

Still, it's there in every URL, and you can't live without it. I don't blame large companies for trying to do away with it, at least for themselves. I'm glad they've put a high price on it. It at least keeps out the riff-raff.

That's actually no small thing. The great thing about a .edu address is that there's a gatekeeper. .cocacola is going to be a small fee out of Coke's budget, and it can't possibly be an attack site or spammer. (Well, unless they've been careless with their servers, but that's not a problem you can solve with DNS.)

Re:As stated in the original story:

[tlhIngan]

Exactly. Think of all the misspellings you could buy - .comm, .coom, .cm, etc.

Not to mention if your bank buys .bankofamerica it's just as likely some phisher may buy a regular domain as well - .bankofamerica looks the same to most people as .bankofamerica.pl or other thing soon enough.

Or hell... buy .html and .htm. Then you can have www.bankofamerica.com.index.html and people won't notice the '/' was replaced with '.'.

There's a lot of potential in this, really.

Re:As stated in the original story:

[bigredradio]

Out of interest, does anyone know at $185k a pop what exactly ICANN will be doing with it's new found millions?

Out of interest, does anyone know at $185k a pop what exactly ICANN will be doing with it's new found billions?
Fixed that for you.

Re:As stated in the original story:

[Relayman]

For a scammer, $185k is pocket change. I can justify spending that on any number of TLDs. At $35 per year per name, you only need to sell 5,300 domain names to recoup your investment. At an ongoing cost of $25,000, you would have money in the bank.

Re:As stated in the original story:

In fact, forget about the TLD. Ahh, screw the whole thing.

Re:As stated in the original story:

Out of interest, does anyone know at $185k a pop what exactly ICANN will be doing with it's new found billions?

Taking grammar lessons?

Re:As stated in the original story:

Of course, they follow the morality of reason -- that it is right to pursue one's own happiness as one's principal goal in life.

Yes, they will wisely spent the money on hookers and blow.

Re:As stated in the original story:

In fact, forget the coke! And the blackjack!

Re:As stated in the original story:

[kmoser]

By that logic, the owner of couchsurfing.org has a legit claim to the ".localhost" TLD.

Re:As stated in the original story:

[shpoffo]

The real question is whether the Slashdot crew will finally have the dot.dot domain?

Why so silent? ;>

Trademarked Domains

[Marc+Madness]

Seems to me that the threat of phishing can be mitigated my requiring the entity registering the domain name to show proof that the name in the *.brand is in fact a registered trademark. Of course, I could just be taking an over simplified look at the problem.

Re:Trademarked Domains

[Marc+Madness]

I should also add, that they have to also prove that they own said trademark (just in case that wasn't clear). My bad for omitting that detail.

Re:Trademarked Domains

[gstoddart]

Seems to me that the threat of phishing can be mitigated my requiring the entity registering the domain name to show proof that the name in the *.brand is in fact a registered trademark.

I plan on mitigating this by treating every single one of these new TLDs as if they're likely be to scams, and not visiting them. No more than I will click on a link ending in .ly -- I have no idea of what it is, and I have no trust in the domain.

I have no interest in vetting a crapload of new domain extensions, and I will likely simply refuse to follow a link into anything which goes outside of the ones I'm familiar with now.

While I'm sure ICANN will be happy to rake in the $185K for each of these, I simply can't see why this actually improves anything on the internet ... it just gives yet another source of confusion for identifying legitimate web sites.

Do we need a .cocacola TLD? And if so, why?

Re:Trademarked Domains

[_0xd0ad]

Exactly - the people who know will treat the new TLD with suspicion, and the people who don't know will frankly just be oblivious anyway unless/until their browser displays a big scary warning instead of the web site they tried to click on.

Re:Trademarked Domains

[bigredradio]

I plan on mitigating this by treating every single one of these new TLDs as if they're likely be to scams

Really?

Right now it costs very little to register a domain name. Names can be altered to attempt to fool people such as mybank.com.cn?id=123451235123451234&asdfasd=sadfasd. But if it takes over 100K to register a name and show proof you have legitimate rights to the name, it would almost seem safer. Especially when it comes to banking applications. For banking, shopping, etc, it would seem the future is not about going to a web page anyway, but using your 'app' to conduct business. This could be hardcoded to use the TLDs the company owns to better provide a secure channel. There is nothing that stops app developers from hardcoding mybank.com, but there could be bandwidth and routing advantages.

Re:Trademarked Domains

[VJ42]

No more than I will click on a link ending in .ly -- I have no idea of what it is, and I have no trust in the domain.

.ly is just the ccTLD for Libya, nothing particularly sinister about it any more than .us, .uk, .au, .ie, .nl, .de, .it, .in, .cn, and so on.

Oooh, phear the phishing

[s.d.]

Yes, any change to how the internet works could increase phishing. But at $185,000 per application for a new TLD, as well as having each application reviewed by a human or committee, this isn't going to be like automating the registration of .com addresses so that in an afternoon, you can register every misspelling of bankofamerica. By no means do I have blind faith in them, but I feel like ICANN will be pretty sure to not allow some random dude in eastern Europe to register .bank.

Yes, yes, everything can increase the risk of cancer in lab rats, and everything increases the risk of phishing, but the barrier for entry is set relatively high here.

Re:Oooh, phear the phishing

[140Mandak262Jamuna]

By no means do I have blind faith in them, but I feel like ICANN will be pretty sure to not allow some random dude in eastern Europe to register .bank.

No not a random dude from eastern Europe. But a random analyst from Goldman Sachs consolidating a bunch of random dudes from anywhere in the world to create a portfolio of high risk/high reward venture exploiting the emerging opportunities due to the relaxed regulatory environment in the highspeed data networks, (note to secratary: Bradley, sprinkle some synergy, paradigm and out-of-the-box in there, will you)? Definitely.

Re:Oooh, phear the phishing

[wren337]

But once someone DOES register .bank, will I be able to buy chase.bank from godaddy?
It's not the people registering the new TLD you have to worry about, so much as the people that they sell domain names to in the new TLD. Scammers don't need to own a whole TLD, they just need a close-enough domain in some new TLD.

Re:Oooh, phear the phishing

[archen]

My impression was that they were reserving a lot of generic words so this wouldn't happen, and that only brands could be registered this way.

Re:Oooh, phear the phishing

[Serious+Lemur]

the barrier for entry is set relatively high here.

I for one will rest easy knowing that only the most enterprising and wealthy cybercriminals will be making a fortune in illicit bullshit from this. That's what a free market's all about, after all.

Re:Oooh, phear the phishing

[Lunix+Nutcase]

Scammers don't need to own a whole TLD, they just need a close-enough domain in some new TLD.

What scammer is going to pay $185,000 and wait several months for a manual screening process to own a fraudulent vanity TLD?

Re:Oooh, phear the phishing

[digitalsushi]

If the phishers figure out some way of gaining 185000 dollars, they might be able to afford a vanity tld. Maybe they could steal 185000 using deceptive luring techniques.

I bet icann will use part of that 185000 dollars to improve the title of "random dude in eastern europe" to "sir".

Re:Oooh, phear the phishing

[gstoddart]

If the phishers figure out some way of gaining 185000 dollars

Ummm ... from what I've read about how lucrative that can be, the $185K might actually be chump change.

Re:Oooh, phear the phishing

[wren337]

Scammers don't need to own a whole TLD, they just need a close-enough domain in some new TLD.

What scammer is going to pay $185,000 and wait several months for a manual screening process to own a fraudulent vanity TLD?

Wow, did you even read the comment you included in your reply? I am saying they will NOT buy an entire TLD. Scammers don't own the whole .com TLD - they buy _individual domains_ under existing TLDs.

Once someone registers a new .llc TLD what do you think they are going to do with it? They are going to sell domain names for $10 a year - to anyone with $10. And sooner or later someone with $10 will buy chase.llc and use it in a scam.

Again, buying an individual domain in a new TLD will not cost $185k; it will cost whatever the owner of the new TLD is charging.

Re:Oooh, phear the phishing

For the big domainer's out there right now 185k is maybe a weeks revenue? I dont think the barrier to entry is high enough.

Re:Oooh, phear the phishing

[Kokkie]

And who will do the dns resolving for the new TLDs? Will this be done securely, otherwise it will cost the scammer $0, with little risk for as long as it lasts.

Re:Oooh, phear the phishing

[Lunix+Nutcase]

Wow do you even understand how these new TLDs work? Clearly not when you post this nonsense.

Re:Oooh, phear the phishing

[wren337]

FTFA - "GTLDs such as .nyc, .london or .food could provide opportunities for many smaller businesses to grab names no longer available at the .com level -- like bicycles.london or indian.food.

What part of this is confusing you?

Re:Oooh, phear the phishing

[Adam_ST170]

What part of this is confusing you?

The next paragraph FTFA:

The new domains will also change how ICANN works, as it will have a role in policing how gTLDs are operated, bought and sold. Until now, it has overseen names and performed some other tasks but has been little involved in the Internet's thornier issues.

So to take your example, '.llc', the owner of .llc will probably reserve and offer chase.llc to Chase. (and probably for more than $10)

Re:Oooh, phear the phishing

[wren337]

Probably? They will PROBABLY offer chase.llc to Chase? That's your whole argument, that the new owners of each and every new TLD will probably do the right thing, so we have nothing to worry about?

You realize we're going to have full character sets available, so you'll have a dozen different characters that look like the letter "a"? There will be hundreds of domain names that look like "chase" in each TLD.

And you've seen how the registrars behave right now with the existing domains? And you're still optimistic?

Re:Oooh, phear the phishing

I know reading is frowned upon here on Slashdot, but what exactly did you think the sentence after the one you quoted referred to?

Extortion

"Thats a mighty fine brand ya got there, company. Be a shame if someone came and - bought it as a TLD. For about 200 grand, we can help protect you."

Money, Money, Money

[JoeTalbott]

It's gonna cost a lot of money to get a vanity top-level domain. In order to prevent domain squatting. But won't this just allow those with deep-pocketbooks to call the shots? How well did .biz do? I don't think that in my vast Internet surfing I've ever intentionally visited a .biz address. I'm sure big businesses will snatch up their brand names out of fear and a misguided sense of getting on the bandwagon as soon as possible.

Re:Money, Money, Money

[localman57]

It'll happen over time. .biz and others will be accepted. People used to think of 1-888 as less good than 1-800 phone numbers. But that feeling has just about gone away over the last 20 years.

This proves my assertion that TLDs are dumb

Now that the 2nd part of the hostname (eg, slashdot here), can be moved to the 1st part (usually .org for slashdot, but they answer to a number of TLDs), now remind me what was the point of the 1st part to begin with?

I guess this will finally get rid of the only publicly accepted TLD out there, .com, and back to AOL keywords :)

So who gets .apple?

[billrp]

Inc. or Corps Ltd. (computer or music)

Re:So who gets .apple?

[webbiedave]

The highest bidder. Literally.

Re:So who gets .apple?

[andydread]

Apple Growers Association.

Cash grab

[Tridus]

This scheme is nothing more then a cash grab. It does nothing useful for domain names. The cost of one of these is sky high ($185,000). There's no need being filled. It's just ICANN trying to get people who already have big websites to pay for another domain for the same site to keep someone else from registering it.

This stuff should not be run on a "how do we extort more money out of DNS" methadology.

Re:Cash grab

[Lunix+Nutcase]

It's just ICANN trying to get people who already have big websites to pay for another domain for the same site to keep someone else from registering it./quote?

Except that someone else won't be able to register one of these TLDs with someone else's trademark. That's the whole point of the manual screening process they are doing before handing out these vanity domains.

Re:Cash grab

Except that someone else won't be able to register one of these TLDs with someone else's trademark. That's the whole point of the manual screening process they are doing before handing out these vanity domains.

Except that many companies doing different things can all use the same trademark (i.e. Apple Computer vs. Apple Music). All companies (especially big ones with valuable trademarks) will probably register the TLD to prevent some small company that does something completely different from grabbing it.

Re:Cash grab

Except for the fact that many users/companies have been asking for custom TLDs for years. "Group gives consumers what they want; charges them money". That's not extortion; it's commerce.

Re:Cash grab

[PPH]

ICANN get your money.

Re:Cash grab

[demonbug]

This scheme is nothing more then a cash grab. It does nothing useful for domain names. The cost of one of these is sky high ($185,000). There's no need being filled. It's just ICANN trying to get people who already have big websites to pay for another domain for the same site to keep someone else from registering it.

This stuff should not be run on a "how do we extort more money out of DNS" methadology.

This. I also want to know what they plan on doing with the additional millions of pure profit they will be making from their government imposed monopoly. Aren't they supposed to be non-profit? They're going to have to massively increase salaries to remain so.

Also, whatever happened to the egalitarian, level playing field of the internet? This move pisses me off coming and going. If you want to open up all these new TLDs, fine; do it. Let anyone and everyone register their own TLD for the price of a traditional TLD; there is no technical reason why it should cost 1,000 times as much for one of these. Alternatively, if you need to charge that much for your rigorous screening of applicants, then maybe it isn't such a good idea to offer the service in the first place - obviously they think it presents massive opportunities for fraud.

Either offer it to everybody at a reasonable price, or admit that it is a mistake and can the whole idea. Otherwise this is once again just a massive money grab on the part of ICANN.

Re:Cash grab

s/then/than

Re:Cash grab

Call me cynical, but I think they might be playing a different game here. I'm sure the criticism of ICANN hasn't escaped their attention, and what better way of stopping someone creating a compatible alternative than by polluting the entire TLD namespace so no one can mirror current DNS records and add their own TLDs to create an alternative.

4chan

Anonymous.4chan

Big deal over nothing

[_0xd0ad]

Realistically, someone who gets tricked by a fraudulent "mybank.bank" [example given in TFA] is equally likely to be tricked by "mybank.us", or "mybank.com". And we already have made browsers as nearly-idiot-proof as possible so it should display a big scary warning when they try to visit that URL anyway. I don't see this as being that much of a problem.

Re:Big deal over nothing

It seems to be a cash grab more than anything.

For example you probably will not see .bank. Which would oh I dont know be useful... Instead you will see things like .wellsfargo. It is the new .com. But no .com to put in there.

slash.dot

Redirects to digg.reddit.

.here TLD

[TheLink]

More than 10 years ago I proposed that a TLD be officially reserved for _standard_ local private use. Basically something similar to RFC1918 but for TLDs.

I proposed it to the ICANN (emailed to icann@icann.org, Esther Dyson and Vint Cerf) and later the IETF: http://tools.ietf.org/html/draft-yeoh-tldhere-01

No luck, and I'm not rich enough to buy it (and give it to the world). Maybe Google can?

Re:.here TLD

More than 10 years ago I proposed that a TLD be officially reserved for _standard_ local private use. Basically something similar to RFC1918 but for TLDs.

I proposed it to the ICANN (emailed to icann@icann.org, Esther Dyson and Vint Cerf) and later the IETF: http://tools.ietf.org/html/draft-yeoh-tldhere-01

No luck, and I'm not rich enough to buy it (and give it to the world). Maybe Google can?

Already exists: use .local

Re:.here TLD

[TheLink]

Already exists: use .local

Read my post again, .local is not officially reserved.

There's a difference between using some random IPv4 address range for your private use and using an RFC1918 IP address range.

Re:.here TLD

And there's a difference between IP addresses and domain names. You're both fucktard's.

Re:.here TLD

Actually, he (TheLink) was right: .local is not officially reserved. I was mistaken in my previous post, when I was running from memory and not checking the RFCs. Furthermore, the proposed .here TLD would serve a different purpose than what I was thinking.

That said, RFC2606 does reserve .test, .example, .invalid, and .localhost for the uses that I was (mistakenly) assigning to .local.

Stop the fearmongering.

[LavouraArcaica]

It's not the possibilities of phishing that create phishing, but the will and greed of people. Even if phishers can't use a domain name, they'll use just a IP address. And people who believe that 'mybank.ru' is really they bank will equally believe that 'xxx.xxx.xxx.xxx' is their bank.

Come on Slashdot editors!

[wcrowe]

Whoever wrote this either cannot read, or is too lazy to read. It is not going to be easy to get these TLDs. For starters, each TLD will cost $185,000. The applications will also be investigated before the TLDs will be created.

Slashdot used to be a top-notch website, but lately the editors seem to be content to post any old bullshit as a legitimate story. This story should never have been accepted for submission.

Re:Come on Slashdot editors!

[fruey]

Old bullshit as a legitimate story has precedents as old as slashdot. It only seems like it got better because you filter the crap from your retrospective memory.

Re:Come on Slashdot editors!

[PPH]

each TLD will cost $185,000. The applications will also be investigated before the TLDs will be created.

You got $185,000? You just passed our investigation.

Hopefully there will be some sanity enforced

[Bloodwine77]

If ICANN allows people to obtain TLDs such as .comm, .ccom, .nett, .orrg, and so forth then we're in for a lot more scams and phishing attempts.

I wonder how well the vanity domains will work in the wild, though. They only work as well as software supports them. In theory it shouldn't be too much of a problem, but in reality I would not be surprised if a lot of software chokes on them.

Re:Hopefully there will be some sanity enforced

[unrtst]

I foresee a lot of software breaking, but not the obvious website url stuff. http://citibank/ will probably work just fine in all browsers... though if it doesn't exist, the browser will automatically try citibank.com, citibank.net, or default to a search for it these days.

I'm betting the bigger problem will be in all the ad-hoc validation code out there. For example, email validation... it often requires two parts to the domain portion (user@domain.something), so "user@citibank.com" works, "user@mail.citibank" will probably work, but "user@citibank" is probably going to fail with existing most existing software.

The other part will be length checking on the TLD... all TLD's these days are very short, though the DNS protocol allows for longer ones (up to 63 chars). Again, most of the stuff that uses the names will be fine (things that just pass it off to the name service resolver). But it'll require a lot of software updates to lots of odds and ends sites and programs. Those things could be labeled as poorly coded, but they're really just trying to protect users from ignorant mistakes.

IMO, I see no value in this at all, except to ICANN so they can get some extra cash flow. Even worse, this will cost businesses money, cause they'll feel the same need to protect their name here as they do on .com/.net/.org/etc, but instead of an extra $20/yr, it's $185000 + $20000/yr or more.

The only benefit I see on the business side is that maybe, just maybe, all of a companies subsidiaries will now show up under one hierarchy. For example, time warner has a TON of different domains, many location and product specific (ex. twcny.com). So maybe the extra cost will encourage them to make better use of the resource. But it really really really doesn't matter.

The theory that they'll vet these domains to make sure the owner is the right person is horribly misplaced. That should go to the SSL providers, who used to do a decent job of this before competition drove down both the cost and the benefit.

The Phishing angle just seems like a stawman to me. This is just a solution looking for a problem... a problem that isn't there. The idea that business "want" this is (IMO) a misreading of a statistic... it's been talked about for decades, so they're interested in knowing when they'll have to grab up their realestate.

bleh... the good ones are...

[elPetak]

.pr0n .porn .sex

intranet or localhost?

[PanIc+RidE]

How long will it take for someone to grease the right hands and get a hold of .intranet or .localhost?

This whole scenario seems to only benefit the pockets of ICANN execs. So why wouldn't they start allowing domains that could seriously break stuff if the price was right?

Re:intranet or localhost?

[icebraining]

According to the Application Guidebook, LOCALHOST is a reserved name.

Don't Overlook The Spam Potential

[damn_registrars]

The mechanism they just approved for selling gTLDs also has a built-in mechanism that basically excludes spammers from any responsibility, ever, if they are associated with a new gTLD in any way, shape, or form.

For example, say your favorite spammer registers ".pillz". Of course, you'll blacklist that in your email program but that doesn't matter because they'll spoof the email headers so it looks like it came from your own domain, or google, or anywhere else they want. You can try to filter your email for spamvertised addresses in the ".pillz" gTLD but that doesn't matter because of course the email will instead link to a .com with a redirect, or a tinyurl or whatever else they like to obfuscate the spamvertised domain.

So how does the gTLD help them? Well, once you buy a gTLD, you become your own registration body. You can sell and register as many domains under your gTLD as you want, and you don't have to share the registration data with anyone, just the status and the IP that it resolves to (if any). So spammers can register new domains faster than you can find them, and they never have to worry about losing them. They can buy just one .com domain from someone else, and just have it redirect so they have the .com they want and the spam-sponsored gTLD-derived domain they need.

In short, we previously had almost nothing in terms of mechanisms for shutting down spamming and spamvertised domains. ICANN just sold those mechanisms and now we have nothing.

Urgent, Password Reset Needed!

Warning your Facebook password has been compromised!

Please click the link below to reset it:

http://www.face.book/passwords/?1s97489vc9e7e89vc7v89

Necessary?

[black+soap]

What was wrong with each of these superbrands being a .com? Besides the "we already hit diminishing returns on major corporations trying to lock in all the domains they might want" problem ICANN had? Maybe this is so companies can be their own registrar, once they have a .tld, so newflavor.coke can be held until newflavor's announcement date, without people seeing that it has been registered (or speculators buying them up before coke even decides on the newflavor's name?) - this is a marginal problem at most. I guess having your own domain and creating subdomains as you see fit wasn't good enough for these companies. people might confuse newflavor.coke.com and (unaffiliated speculator site) newflavor.com. I see this as one more step toward corporatizing the internet - you'll need the backing of some major company for your content to be visible.

Idea?

3 of a kind for 100% security: bankofamerica.bankofamerica.bankofamerica is guaranteed to be the real site. Anything less than 3 of the same domain names is insecure. For login pages I mean.

Maybe the stupidest idea ever, but it can't be, they decided to approve custom TLDs which is the stupidest idea ever. I see no benefit to anyone but the people getting the money.

anyone gotten .sucks yet?

[Sprouticus]

becausr THAT will be a money maker.

Re:anyone gotten .sucks yet?

[oodaloop]

becausr THAT will be a money maker.

Why don't you apply for it? I'm sure you can make a legitimate claim for it.

Re:anyone gotten .sucks yet?

[PPH]

It may cost you $185,000. But how much will people pay you to keep apple.sucks, microsoft.sucks, cowboyneal.sucks, etc. off your domain?

This is only one new top level domain

[cforciea]

From the end user perspective, this has the same net effect as opening up exactly one more top level domain: the blank TLD. It just happens to be a way more expensive TLD than any of the other ones, and has a higher chance of coercing companies into registering it. It does not add any new functionality that I can think of (NPR interviewed some asshat this morning talking about how Canon would hypothetically be able to open .canon domains and have cameras automatically upload pictures as they are taken, as if they couldn't already do that with subdomains and existing technology).

Really what aggravates me on a personal level is the support calls I am going to start getting. I work at a small ISP, and while I am largely higher tier support, I still sometimes end up being the first point of contact for customers calling in when tier 1 support gets overloaded. I just shudder at the thought of trying to explain to one of my 85 year old customers, who just finally figured out what a URL looks like that no, "msn" is actually a real address now. The normal TLDs are useful for triggering pattern recognition. In that sense this is actually making the internet harder for anybody who is not technologically savvy to learn.

Not to mention, I just can't wait to see what all of the tools on the internet that automatically convert URLs into hyperlinks do.

$185K? Psh...

[pongo000]

...OpenNIC charges $0 for TLD applications, and since it's a transparent democratic approval process, you get to actively participate in the approval process. We need to show ICANN there are alternatives to their extortion attempts.

For the naysayers...

[Lumpy]

Organized crime group forms a corperation called.... Continental Options Network.... and buys the .con TLD.

Now the price is nothing to organized crime, if the payout potential is big.

Hire some killer IT and networking black-hats. Give them $350,000US a year to live in china, south america, Russia, etc.. so they can life like rockstars and do epic coding for their data centers.

First sit low and record the number of typos for sites to .con instead of .com you can data mine where it comes from and target certian areas. set up the fake sites to load their bomb that only shows up ONCE and then innocently redirects to the real site.

and so on... heck even MITM attacks could be done.

This kind of cash is peanuts to organized crime. and if they hired good enough black hats and paid them well they could easily outwit the securoty companies long enough to make a giant pile of cash.... rinse, change up a little, repeat....

Re:For the naysayers...

Nah, they just have to get some farmers to register .corn, (coRN), which looks even more like .com.

on my default 12pt windows arial, i still have to look twice to see the difference between google.com and google.corn

and i don't have bad sight at all

Cybercriminials

[Pf0tzenpfritz]

cybercriminals could also seek these new domains [...] These can then be used for phishing attacks

Terrorists could also seek these new domains These can then be used for terrorist attacks. Chinese hackers could also seek these new domains These can then be used for chinese hacking attacks. Software pirates could also seek these new domains These can then be used for software pirating attacks. Malicious attackers could also seek these new domains These can then be used for malicious attacking attacks,..

Just post the general case already

[Sloppy]

The more power people have, the more they'll use it and sometimes they'll use it for bad things.

The more expression people have, the more they'll express and sometimes they'll say fraudulent things.

There. Can we now stop treating it as big news every damn time it happens with every damn trivial variation, have the debates one last time, and then agree that we need to kill humanity in order to save it?

'create your own' TLDs?

[lostmongoose]

I propose '.hascheezburger' reserved for ICANN.

Rock and roller cola wars, I can't take it anymore

[tepples]

Coke and hookers.

Not if PepsiCo gets to .cola first.

How long would it take?

How long would it take for a phisher to make 185k is the real question.. the purchase of the TLD could be seen as an investment if they could rattle off schemes and make their money before they are found..

.corn

Just toss an "R" into there:

citibank.corn

Troll? I'd love to know why.

[damn_registrars]

I have no idea how that comment is trolling. I pointed out how selling gTLDs creates a new bonanza of opportunity for spammers, and puts a little money into the pockets of the profiteering bastards who run ICANN. Did someone with a strong pro-ICANN slant (I didn't know any such people - outside of ICANN employees - existed) see the comment and moderate it down in retaliation?

It seems like crappy moderation to me. Bad moderator, bad bad bad.

Everyone's onto you trolltalk.com trolls is why

Everyone now knows what U trolltalk.com jokes do around here:

http://www.google.com/search?hl=en&source=hp&q=damn_registrars+site%3A+trolltalk.com&btnG=Google+Search

In upward moderating yourselves in packs, and downmoderating others.

Proof of that is here:

http://slashdot.org/comments.pl?sid=2245866&cid=36491652

And yes, countertrolling's yet another trolltalk.com trolling scumbag infesting this forums along with the "trolling likes of YOU" as well:

http://www.google.com/search?hl=en&source=hp&q=countertrolling+site%3A+trolltalk.com&btnG=Google+Search

Security concern not at top level, but one down

The issue won't be con artists registering top level domains. Though some of them make enough money to cover the costs.

The challenge will come when someone figures out how to convince the holders of .bank to give them a sub domain there.

Just when you think .bank is safe, bankofamerca.bank appears.

Dear uninformed AC troll

[damn_registrars]

Your google-fu is no good. When you want to search a domain for a string on google, you need "site:" to be followed immediately by that domain. You errantly inserted a space after the colon, which then caused google to do a massive or search between the strings "your-least-favorite-slashdot-name", "site:", and "trolltalk.com".

If you drop that extra space, and rerun the search, you will find that neither my slashdot name, nor that of countertrolling, occur on trolltalk.com.

But thanks for playing!

B.S.: U show there & U know it, noob

LMAO @ U here -> http://slashdot.org/comments.pl?sid=2251620&cid=36497186 , for starters... lol!

And, what a truckload of crap out of you, troll: You show up as yet another "trolltalk.com" troll along with goofs like tomhudson.

Seems you got your ass shot down badly here in that link above, lol, where your WEAK "networking skills" (lol, not) failed you badly.... lol!

(Figured it out yet, noob?? LMAO!)

* Best part is, you "bit" as I knew you would... just so I could expose you for the link above... lol!

Hey, question:

YOU LIKE APPLES? How do you like them apples?? (see link above, lol)

Are you the same AC troll as before?

[damn_registrars]

I earlier had an encounter with an AC troll, who would ignore reality and likely to try to respond with links to irrelevant AC posts.

Nonetheless, I showed that your google link was wrong. You can go ahead and do the right search, and you'll find I have nothing to do with tomhudson's trolltalk.com. I have nothing else to say in response.

Ok, U seem cooler than they are anyhow so...

Know what? I believe you - I was the guy in the "TomHudson did you do this?" journal of yours.

That last post was MOSTLY to "bait you into the open" so I could retroll you (perhaps as I said before to others, I may be wrong that you are with those trolltalk.com goofs who have trolled me here for a year)

I.E. - tomhudson & crew are the ones I am down on (with good reasons & proof, SOLID proof from their own mouths here quoted) Ah, long story!

Still... you're still WRONG about how I am doing it... in fact, I will show you, now, AND dropping another clue here (not the greatest but... it is one):

Robert Plant of LedZeppelin said it... he's SEEN it. Put it that way, lol! The technique is implemented thus. No hack involved, VERY fast too!

Watch the timings of each post... it's not by browsers as you suspected, but what I told you there (honest to god, but it's no "hack" either)... I would think you would have caught onto it by now in fact!

And, is this me?? "Welcome to the Layer Cake"... yes, it is.

Watch my next few posts, note the timings... this will be fun to illustrate the technique to you in fact!

Here goes...C-YA!

HI

Hello

Goodbye

LOL

Back again

Back again see

It's THAT simple

Truly is

So much for 10 posts per 24 hours too

Watch already at 5

Totally legit, not hack

Just a way of doing things networking wise

Not bug in slashdot either

Like you thought too

Not multiple browsers or tabs

Like you thought too so. what's left?

Think man, think!!!

I gave you ALL the clues I can.... that link, Robert Plant's SEEN it, & ghosting... see ya, good luck!

OH well: Tried 2C IF you could figure it out

& instead you took off, oh well! So much for 10 posts per 24 hours though on AC's though, eh?

On trolltalk.com & tomhudson (lol)

QUOTED VERBATIM FROM -> http://slashdot.org/comments.pl?sid=2250914&cid=36531394

(From webmistressrachel, tomhudson's pal in fact)

I really want to stress this to you apk, (and whilst doing so needle tomhudson about it!) trolltalk isn't a forum anymore. It's an advert for TomHudson - by webmistressrachel (903577) on Wednesday June 22, @01:28PM (#36531394) Journal

That really truly "puts the FINAL nail in the coffin" here, bigtime - lol, & from one of "the trolltalk.com gang" no less...

Want more? YOU GOT IT!

Here's more, from your friend Jeremiah Cornelius, another trolltalk.com member, & pal to tomhudson also, from that very same exchange (after webmistressrachel tried to say there's no forums there on trolltalk.com no less):

http://slashdot.org/comments.pl?sid=2245062&cid=36469928

PERTINENT QUOTE/EXCEPT:

"Join us all on Troll Talk, this Tues. ;-)" - by Jeremiah Cornelius (137) on Thursday June 16, @08:26PM (#36469928) Homepage Journal

APK

P.S.=> Proof's in the pudding... Funniest part is the date on Jeremiah Cornelius' post - it's from last week!

That either shows that WebmistressRachel's apparently lying, or NOT "in the know" about what's going on there - doubt that, she's too good of pals with tomhudson!

(That, or they just temporarily shut the forum down to avoid GOOGLE queries etc. OR you have to login to it & I am pretty sure you have to with tomhudson's stuff (take your pick, but doesn't matter anyhow @ this point from the data above))...apk

This is going to cause serious tech issues

[funky_vibes]

On our network we have things like:
printserver
ntpserver
fontserver
authserver
intranet
mail
etc.

A very practical way of moving your laptop between home and work, and always automatically seeing all relevant printers. (just set your cups server to printserver:631)

We have always assumed that internet things end in a limited amount of TLDs. With this change that assumption goes out the window.
I'm pretty sure this will lead to an immense amount of DNS filtering at all parties who didn't already implement it.

In protest, I'm going to filter out all TLDs ICANN creates from this day forth, on all networks I control, who's with me?