ICANN ICANN Email List Archives

[dssa]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [dssa] Interesting article -- probably out of scope for us, but FYI

  • To: James M Galvin <jgalvin@xxxxxxxxxxxx>
  • Subject: Re: [dssa] Interesting article -- probably out of scope for us, but FYI
  • From: Patrik Fältström <paf@xxxxxxxxx>
  • Date: Wed, 14 Sep 2011 08:16:50 +0200

Just be aware of the fact that the discussions about "confusability" that is 
part of the stability evaluation of for example new TLDs in the gTLD process is 
around exactly these issues. Misunderstandings, confusability etc. Similar with 
the variant discussion.

So I do not think DSSA can just ignore the issues as they have to do with 
stability and security related to "the DNS system" although not "the DNS 
protocol" per se as you point out Jim.

   Patrik

On 14 sep 2011, at 08:11, James M Galvin wrote:

> 
> This is not a "don't go down too deep issue", it really is out of scope.
> 
> The distinction that I think is important is that we are chartered to 
> consider DNS security and stability issues, not issues for which the DNS can 
> be used for nefarious or malicious purposes.  The fact that one can do bad 
> things with the DNS does not make the DNS bad.  Even DNSSEC does not help the 
> problem being described because it's not a DNS problem.
> 
> It might be worth a short discussion of this distinction in our final report.
> 
> Jim
> 
> 
> 
> -- On September 13, 2011 3:31:31 PM -0500 Mike O'Connor <mike@xxxxxxxxxx> 
> wrote regarding Re: [dssa] Interesting article -- probably out of scope for 
> us, but FYI --
> 
>> 
>> yep,  i get that.
>> 
>> i think one thing we might want to consider is building out a list of
>> attack vectors that infrastructure-providers might want to apply
>> best-practices to.  this fits with Cheryl's "not following
>> best-practices" bucket that we created in the Vulnerabilities draft a
>> few calls back.  it also kinda takes me back to the best-practices
>> discussion we had on the RAP working group and the notion that ICANN
>> might be a good place to call attention to these sorts of things, and
>> keep track of good resources/standards/models etc.
>> 
>> but i agree -- we don't want to go too deep down these issues or
>> we'll never finish.
>> 
>> mikey
>> 
>> On Sep 13, 2011, at 11:22 AM, Greg Aaron wrote:
>> 
>> >
>> > Hi, Mikey.  I think typosquatting's out of scope, full stop.  By
>> > allowing that example in, we'd be allowing virtually any kind
>> > security problem or threat vector back into scope again, simply if
>> > it was directed against a registry operator.  That is too much; a
>> > rabbit hole we'd never emerge from.
>> >
>> > A lot of things come down to following good IT and administrative
>> > practices, like: having a fundamentally sound network architecture,
>> > not losing one's passwords, and using the UDRP or legal mechanisms
>> > when you need to.  There are bodies who do IT best practices better
>> > than we do, and ICANN's not in a position to explore all that kind
>> > of stuff.
>> >
>> > All best,
>> > --Greg
>> >
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: Mike O'Connor [mailto:mike@xxxxxxxxxx]
>> > Sent: Tuesday, September 13, 2011 8:31 AM
>> > To: dssa@xxxxxxxxx
>> > Subject: [dssa] Interesting article -- probably out of scope for
>> > us, but FYI
>> >
>> >
>> > hi all,
>> >
>> > i thought some of you (being that we're a gaggle of security type
>> > people) might be interested in this article about typosquatting
>> > domain names as a way to passively harvest sensitive email.
>> >
>> >    
>> > http://arstechnica.com/business/news/2011/09/researchers-typosquatt
>> > ing-sna rfed-20gb-worth-of-fortune-500-e-mails.ars
>> >
>> > given that we're testing our "scope" rules this week, i thought i'd
>> > also use this as a test case.  i would think that the general
>> > use-case of this would be out of scope (malicious use of a domain
>> > name).  but it would be in scope if it were used as an attack
>> > vector on a registry or registrar. right?
>> >
>> > so does that mean that we should build a section of our report that
>> > collects these attack-vectors for possible inclusion in a "best
>> > practices" section?
>> >
>> > food for thought, low priority.
>> >
>> > mikey
>> >
>> > PS -- i have the corp.com domain, which started getting masses of
>> > this kind of email as soon as i registered it in the mid-'90's.  i
>> > didn't realize it until i wildcarded the MX for the domain one day
>> > and immediately crashed my server.  for example, somebody would
>> > mis-address mail to HRDept@xxxxxxxxxxxx rather than the correct
>> > HRDept@xxxxxxxxxxxx. so there are other variants of this
>> > vulnerability and perhaps an opportunity for somebody to do a great
>> > good deed by educating folks about this.  btw, i immediately
>> > dropped the MX record out of that domain.  :-)
>> >
>> > - - - - - - - - -
>> > phone      651-647-6109
>> > fax                866-280-2356
>> > web        http://www.haven2.com
>> > handle     OConnorStP (ID for public places like Twitter, Facebook,
>> > Google, etc.)
>> 
>> - - - - - - - - -
>> phone        651-647-6109
>> fax                  866-280-2356
>> web  http://www.haven2.com
>> handle       OConnorStP (ID for public places like Twitter, Facebook,
>> Google, etc.)
>> 
>> 
> 
> 





<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy