ICANN's Custom Domains May Make Cyber-Squatting More Expensive

For organizations already battling cyber-squatting, ICANN's expansion of top-level domain suffixes may just mean more domains to register defensively.

Now that the Internet Corporation for Assigned Names and Numbers has approved the proposal to allow new generic top-level domains, experts weighed in on the security implications.

The ICANN plan would expand the number of gTLDs (generic top-level domains) from 22, including .com, .net and .org, and 250 country-level domains to a nearly infinite number, the organization announced June 21.

The new custom domains can be brand-based or generic, such as .coke or .music, or even be in other languages and using other scripts such as Cyrillic, Arabic and Chinese. Several hundred new gTLDs are expected to be created under the plan.

"After years of discussion, debate and deliberation with many different communities-including business groups, cultural organizations and governments-we have opened the door to an era of creative innovation unlike any other since the Internet's inception," Rod Beckstrom, ICANN's president and CEO said.

The ICANN proposal created a high barrier of entry for anyone wishing to register a custom domain, beginning with the nonrefundable $185,000 application fee, an additional $25,000 a year to administer the registry afterward and a 200-page application in which companies have to prove they own the company name and brand they are registering.

"The $185,000 price tag for applying to register the custom brand suffixes will price much of the problematic stuff out of the market for outright fraudulent gTLD applications," Kurt Baumgartner, senior malware researcher at Kasperksy Lab, told eWEEK.

The complex application process and the lengthy time period should deter "casual cyber-squatters," Janet Satterthwaite, a trademark and domain name attorney with Washington-based law firm Venable, told eWEEK. It won't eliminate cyber-squatting altogether, as the current practice of scammers registering company names and brands in other TLDs will likely continue, according to Satterthwaite.

Companies can continue to do "defensive registrations" to register their brands under each new domain, "unless and until the number of [new] top-level domains make this prohibitively expensive," Satterthwaite said. Even if someone does try to register a gTLD similar to an existing brand, the legitimate owner has the opportunity to oppose it. However, new registries located outside the United States may not be subjected to the U.S. anti-cyber-squatting consumer-protection laws, she said.

"There is a legitimate fear that an explosion of new registries will threaten Internet security," Satterthwaite said.

Along with brand names, generic words can be turned into a domain-name suffix. Satterthwaite said there will be rules to prevent registry owners from locking out domain applications on those domains. For example, an owner of a .ski TLD will likely be prevented from blocking a competitor from registering a domain with that suffix, she said.

Some security experts are skeptical that the ICANN plan would really work as designed. James Lyne, director of technology strategy at Sophos, said there was the potential for abuse with the new suffixes. "The question is," Lyne told eWEEK, "how stringent will they really be?" If the actual implementation is flawed, then it doesn't matter what the plan's intent was, according to Lyne. The custom gTLDs could "end up a bit like SSL," which is not really as secure as its original designers had hoped, Lyne said.

It's unlikely that a cyber-scammer will fraudulently register a domain suffix to launch scams, since it will be fairly easy to block access to an entire TLD.

However, it's likely that DNSSec (Domain Name System Security Extensions) adoption may spread with the new domain suffixes, Baumgartner said. Increased DNSSec on the domain level will potentially prevent Web communications from being hijacked by attackers in "future rollouts," Baumgartner said. It's also possible, however, that DNSSec adoption may actually confuse users about what HTTPS site is verified, and thus increase the chances of spoofing a site. Baumgartner said DNS servers will likely become more attractive targets.