ICANN ICANN Email List Archives

[sac053-dotless-domains]


<<< Chronological Index >>>    <<< Thread Index >>>

Expanding on Dan Kaminsky's comments

  • To: sac053-dotless-domains@xxxxxxxxx
  • Subject: Expanding on Dan Kaminsky's comments
  • From: Ian Fette (イアンフェッティ) <ifette@xxxxxxxxxx>
  • Date: Wed, 3 Oct 2012 05:41:15 -0700

In http://forum.icann.org/lists/sac053-dotless-domains/msg00022.html Mr.
Fausett points out:

"While Uniregistry has no plans to implement "dotless domains," it does
foresee a future where applications, protocols and, most importantly,
Internet users expect dotless domains to work in many of the ways that
second-level domains do now. We do not know whether this evolution will
take place over the next year or the next ten years, but when it does, TLD
registries should be able to support change equally with ccTLD operators
and without having to re-negotiate their contracts."

I'd like to follow up to that and point out that unfortunately, the
migration to using the new TLDs in a "dotless" fashion may simply not be
possible in a secure manner given that you are moving into what Mr.
Kaminsky termed an "occupied namespace" in
http://forum.icann.org/lists/sac053-dotless-domains/msg00029.html.

The SSAC report itself points out a practice of certificate authorities
issuing SSL certificates without verification for domain names that appear
internal. Unfortunately, the report incorrectly identifies this as a past
practice. This is still allowed. Last month, I was able to obtain a
certificate from two different certificate authorities for one of the new
TLDs that has been applied for ("delta"), one of which is valid for a three
year period. If http://delta were to be used, those certificates would be
valid for http://delta and could be used to launch a man-in-the-middle
attack against that brand through 2015. In obtaining that certificate, I
did not have to prove ownership of anything related to the term "delta",
this is something anyone could have done. We have no way of knowing how
many other certificates have already been issued that overlap this
namespace which the new TLDs are moving into. So, I would say that at least
for the next three years for sure (as I have concerete evidence for this
time period), such an evolution would be actively harmful. Other collisions
Mr. Kaminsky points out would continue to be problematic for an even longer
period of time, and again, we have no way of knowing what certificates are
out there given the past (and current) standards certificate authorities
are using to evaluate requests for what up to now have appeared to be
"internal" hostnames.

-Ian Fette


<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy