Slashdot Mirror
Generic TLDs Threaten Name Collisions and Information Leakage
CowboyRobot writes "As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than 1,000, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies. Two major issues could cause problems for companies: If domain names that are frequently used on a company's internal network — such as .corp, .mail, and .exchange — become accepted gTLDs, then organizations could inadvertently expose data and server access to the Internet. In addition, would-be attackers could easily pick up certificates for domains that are not yet assigned and cache them for use in man-in-the-middle attacks when the specific gTLD is deployed."
Another way to look at it: why were they using invalid domains in the first place?
I used to work for a company where some uncommon but in use domain names where being used on the intranet, and where overriding the internet ones.. A real pain in the ass.
You have 5 Moderator Points!
Which Helpless Linux zealot/MS basher do you want to mod down today?
That's why I have been giving my internal domains silly like .zyxprivnet for at least 15 years...
It would be nice to reserve some domain names for internal use although, just like internal ip addresses.
Everything I write is lies, read between the lines.
Why use some random .local when you can use intra.company.com subdomain for the internal lan.
It's much better to use a real domain which you actually own and will remember to renew.
There are no atheists when recovering from tape backup.
Currently, 25 percent of queries to the domain name system are for devices and computers that do not exist, suggesting the companies are already leaking information to the Internet
And how many of those are due to actual people as opposed to confused webcrawlers looking up dead links?
"Oh hai, a new webpage. Lookie, a link. hddp://mywobsite.youspace.com/forum/?post=1. Oh, there's nothing there.
Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=2. Oh, there's nothing there
Lookie, another link. hddp://mywobsite.youspace.com/forum/?post=3. Oh, there's nothing there"
I read TFA and all I got was this lousy cookie
why were they using invalid domains in the first place?
Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.
Even without these objections, ICANN is just fscking around (for money, it ain't cheap to sup at their table), and blaming what the rest of the world may or may not have done is not really constructive here.
Seriously, the internet has reached a level of growth where ANY major change like that WILL invariably break something that grew along with it. And we didn't even reach the point yet where this alone is obviously a serious business advantage or drawback, depending on who gets certain TLDs. Who gets to have .mail? Who gets .web? Who is the lucky dog who gets that license to print money? And, worse, to keep certain people from using it at all, preferably those that would present a competitor to them?
Who gets to use .$well_known_name? .exchange? .office? Or how about .gates? .jackson?
If this does anything, it just opens up a new round of domain name turf wars and domain squatting. Only this time, there is no escape from the squatter. There is no $name.$land when $name.com is held for ransom.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The Internet ought not evolve, because some network admins at companies don't know how to use it properly? Is that the argument? I'd say that's a rather bad argument.
This is a BS article.
The main concern incluse using internal gTLDs for internal use. In the article, they call this a "split brain DNS". When I wrote the IETF Draft, we called it "split horizon DNS". Implementing it requires specific modifications to a DNS server so that it can be both a forwarding server and an authoritative server at the "." level, and there is practically no DNS server out there which implements it. Certainly, the top 4 don't. In addition, browser completion into ".com" by default means that any typo will take you outside the company, so it's an idiotic example anyway.
The real issue is that if there are 1000 TLDs, all the companies that stupidly equate the DNS namespace with the trademark namespace will, in order to "defend their trademarks" feel they have to register their trademarks as domain names with 1000's of registrars. The don't like this.
As a pointed example, we used to maintain the top level DNS servers for free; it was a volunteer thing, and Paul Vixie did most of the work. Then the idiots at Dupont went off and registered over 400 domains in a single day, and that was it; that was too much work to expect the volunteers to do for free, and so they decided not to do so. Thereafter you paid for registration. Then people decided they could make a good profit at it, and instead of paying for a change to the TLD subdelegation record. And the whole "let's rent domain subdelegations of TLDs instead of selling them was born".
So back to Dupont... 400 domains * 1000 registrars * $30 average per year = $12M
Expect legislation protecting trademarks across all TLDs to follow shortly on this whole fiasco.
Just imagine if company A asks for a certificate for mail.corporate, but then uses it for industrial espionage against company B's mail.corporate server...
It wasn't removed...there just aren't any more seeders.
Is it just my observation, or are there way too many stupid people in the world?
If you have heard them scream and shout and stomp their feet when we talk about GIMP here, wait until you see the reaction to .invalid
"why were they using invalid domains in the first place?"
.local or .office or .internal could ever possibly be a valid TLD.
Because they could. Because it was an easy solution. Because no one could imagine that ICANN would someday be so broken that
http://alternatives.rzero.com/
why were they using invalid domains in the first place?
Because they could and nobody had warned them that ICANN was eventually going to go for a massive AOLisation of the DNS.
The answer is "because there are a lot of idiots passing themselves off as network engineers who actually don't have a clue". It's *never* been sane to pick arbitrary unreserved addresses in any network address space and assume they won't ever be used. And frankly I've seen this time and time again, including such crazyness as people picking arbitrary unallocated IPv4 networks to use internally instead of RFC1918 networks, and then being surprised when things start breaking after those networks have been allocated out to a third party.
http://blog.nexusuk.org
This is mostly FUD.
Regarding external certificates, most certification agencies (at least those that are members of the https://www.cabforum.org/ have stopped issuing certificates for invalid domain names for any date posterior to November 1st 2015. They put this policy in place on Nov 1st 2012. Any such certificates that might be marked as valid beyond that date will be revoked on October 1st 2016.
Now, there may be a concern with internal certificates for such domains, but that is for the internal policy of businesses to fix in time. It should be easy to implement redirecting policies to new domains for any internal web site or system that could collide with gTLDs before they're actually implemented. It is certainly NOT a serious security concern in my opinion.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
Another way to look at it: why were they using invalid domains in the first place?
Another way to look at it: why are they being dependent on an external TLD structure for their security mechanism?
now we need to go OSS in diesel cars
Count me in.
It's the current DNS system that's flawed, no matter what TLD's there are or not. It is time to abolish the old system.
DNS management must be decentralized, everyone who connects to the Internet should be automatically in charge of it (by running a p2p DNS search node), domain names ought to be arbitrary, free and strictly distirbuted on a first come, first served basis. There are plenty of working models that would prevent abuse and contrary to what some people claim security is NOT an issue (any "security" that relies on the correctness of simple name->address translations instead of proper certificates/key distribution is bogus anyway).
While we're at it, it would also make sense to get rid of "certificate authorities". The right system for encrypted network traffic is that of ssh, the key is transmitted on the first connection and then used every subsequent access. Important entities like banks and payment providers need to roll out their own security tokens anyway, everything else is insecure, so authenticating them is no problem.
The revolution could start with a simple browser plugin. I really hope somebody works on that. Would be nice to put an end to DNS tampering and censoring.
I'm sure major entities already re-route things like .com, .net, and .org to "internal" sites on an as-needed basis.
Let the Balkanization of the Internet begin^H^H^H^H^Hcontinue.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If you have internal systems facing the internet where just using the right domain name would unveil what is inside to all the world, the one that "broke it" is you, either by designing "security" that way or choosing vendors that force you to work that way. Depending in the ignorance of the remote side is a bad security measure (or better, is a good insecurity measure).
In fact, probably is good that something makes evident that you have an open insecure system in internet. The bad guys (including NSA and associated companies) are already aware of this, so if something actually forces you to fix it will be something positive (but take a review of those exposed systems, odds that have been exploited in a non immediately obvious way are not low).
Not being able to print is the tip of the iceberg. That was one example of a local resource being blocked by stupid VPN dogmatism. There are many more! Here's one: You have an end user who needs to VPN-connect from a business partner site to use a single app. You've forced all the traffic from the end user through the VPN tunnel (as advocated in the post inspiring the rant) so now the end user cannot reach his local mail server. If you create some baroque combination of filters so that painfully slow access to the local mailserver works by routing traffic through the WAN and back again, so a year later when the mail service configuration changes on the local site the VPNs all have to be reconfigured - and the email admins do not know this, of course, so it's designed to fail.
It's impossible to set up a WAN link to an independently administered network without talking to the other end of the connection, so why in the world would you assume nobody has asked? Of course the question's been asked.
Smart IP netadmins have used only IANA registered names since before Jon Postel died, and smart WAN admins don't use one-size-fits-all security solutions that wreck end-user productivity.
Old news. This has been an issue for YEARS.
Microsoft used to use and even advocate .local in many of its articles and educational documentation even after it became used by Multicast DNS / mDNS and other systems (http://en.wikipedia.org/wiki/.local)
It was only recently that they stopped when the SSL registrars will no longer accept .local for certificates.
I have also seen several networks using .int for internal domains even though those were used for international organizations for a LONG time. Same as with .local and SSL is when these companies finally understand that the RFCs are there for a reason... .:-)
--
Time is on my side
It might be worthwhile to define some "reserved" TLDs for private use, as we have 10/8/, 192.168/16, 172.16/18 for IP addresses, so we can ensure that anybody using a reserved TLD does not have to worry about it being allocated in the future.