ICANN opens up Pandora's Box of new TLDs

• Previous message (by thread): warfare and the Internet [was: ICANN opens up Pandora's Box of new TLDs]
• Next message (by thread): ICANN opens up Pandora's Box of new TLDs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stephane Bortzmeyer bortzmeyer at nic.fr wrote:
> I am very curious of what tests a "security-aware programmer" can do,
> based on the domain name, which will not be possible tomorrow, should
> ICANN allow a few more TLDs.

The difference between '[a-z0-9\-\.]*\.[a-z]{2-5}' and
'[a-z0-9\-\.]*\.[a-z\-]*' is substantial from a security perspective.
Aside from the IP issues it effectively precludes anyone from defining a
hostname that cannot also be someone else's domain name. It's not too hard
to see the problems with that. An analogous network scenario would be IP
addresses of varying length and without a netmask.

> If you test that the TLD exists... it will still work.

Only if A) you are always online with B) reliable access to the tld's
nameserver/s, and C) can deal with the latency.  In practice this is
often not the case.

> If you test that the name matches (com|net|org|[a-z]{2}), then you are
> not what I would call a "security-aware programmer".

Will you still think that when someone buys the right to the .nic tld and
starts harvesting your queries and query related traffic?  Not that that
doesn't happen now, to a far lesser degree.  But it's the extent to which
this presents new opportunities for black hats that should have given ICANN
pause.  Odds are that RBLs will be among the first targets.

Bottom line is the decision was made for it's _monetization_ value, not
security, and customer service was just a pretense.

Roger Marquis

• Previous message (by thread): warfare and the Internet [was: ICANN opens up Pandora's Box of new TLDs]
• Next message (by thread): ICANN opens up Pandora's Box of new TLDs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]