For organizations already battling cyber-squatting, ICANN's expansion of top-level domain suffixes may just mean more domains to register defensively.
Now that the Internet
Corporation for Assigned Names and Numbers has approved the proposal to allow
new generic top-level domains, experts weighed in on the security implications.
The ICANN
plan would expand the number of gTLDs (generic top-level domains) from 22,
including .com, .net and .org, and 250 country-level domains to a nearly
infinite number, the organization announced June 21.
The new custom domains can
be brand-based or generic, such as .coke or .music, or even be in other
languages and using other scripts such as Cyrillic, Arabic and Chinese. Several
hundred new gTLDs are expected to be created under the plan.
"After years of
discussion, debate and deliberation with many different communities-including
business groups, cultural organizations and governments-we have opened the door
to an era of creative innovation unlike any other since the Internet's
inception," Rod Beckstrom, ICANN's president and CEO said.
The ICANN proposal created a
high barrier of entry for anyone wishing to register a custom domain, beginning
with the nonrefundable $185,000 application fee, an additional $25,000 a year
to administer the registry afterward and a 200-page application in which
companies have to prove they own the company name and brand they are
registering.
"The $185,000 price tag for
applying to register the custom brand suffixes will price much of the
problematic stuff out of the market for outright fraudulent gTLD
applications," Kurt Baumgartner, senior malware researcher at Kasperksy
Lab, told eWEEK.
The complex application
process and the lengthy time period should deter "casual
cyber-squatters," Janet Satterthwaite, a trademark and domain name
attorney with Washington-based law firm Venable, told eWEEK. It won't eliminate cyber-squatting altogether, as the
current practice of scammers registering company names and brands in other TLDs
will likely continue, according to Satterthwaite.
Companies can continue to do
"defensive registrations" to register their brands under each new
domain, "unless and until the number of [new] top-level domains make this
prohibitively expensive," Satterthwaite said. Even if someone does try to
register a gTLD similar to an existing brand, the legitimate owner has the
opportunity to oppose it. However, new registries located outside the United
States may not be subjected to the U.S. anti-cyber-squatting consumer-protection
laws, she said.
"There is a legitimate
fear that an explosion of new registries will threaten Internet security,"
Satterthwaite said.
Along with brand names,
generic words can be turned into a domain-name suffix. Satterthwaite said there
will be rules to prevent registry owners from locking out domain applications
on those domains. For example, an owner of a .ski TLD will likely be prevented
from blocking a competitor from registering a domain with that suffix, she
said.
Some security experts are
skeptical that the ICANN plan would really work as designed. James Lyne,
director of technology strategy at Sophos, said there was the potential for
abuse with the new suffixes. "The question is," Lyne told eWEEK, "how stringent will they really
be?" If the actual implementation is flawed, then it doesn't
matter what the plan's intent was, according to Lyne. The custom gTLDs could
"end up a bit like SSL," which is not really as secure as its original
designers had hoped, Lyne said.
It's unlikely that a
cyber-scammer will fraudulently register a domain suffix to launch scams, since
it will be fairly easy to block access to an entire TLD.
However, it's likely that
DNSSec (Domain Name System Security Extensions) adoption may spread with the
new domain suffixes, Baumgartner said. Increased DNSSec on the domain level
will potentially prevent Web communications from being hijacked by attackers in
"future rollouts," Baumgartner said. It's also possible, however,
that DNSSec adoption may actually confuse users about what HTTPS site is
verified, and thus increase the chances of spoofing a site. Baumgartner said
DNS servers will likely become more attractive targets.
Email
Print
