Security Experts:

New gTLDs Represent Internet Security Gains

Fraudulent Domain Registration

In the corporate world, there has been an understandable degree of anxiety about ICANN's new generic top-level domain (gTLD) program. Through April 12, any organization in good standing will be able to apply to enter into an agreement with ICANN to own and operate a new gTLD of their choosing, and the likely scale of the expansion has incited a fear of the unknown in some quarters.

We could see more than 1,000 new gTLD applications filed before the current window closes. Some plans already in the public domain include community-driven domains such as .eco and .gay, geographic gTLDs such as .london and .paris, and open, generic terms such as .shop and .app. We'll also likely see numerous "dot Brand" gTLDs. For example, the Singaporean communications firm StarHub and the Australian Football League have recently revealed plans for .starhub and .afl.

With such a large expansion of the current list of 22 gTLD domains like .org and.info, nervousness about possible unintended consequences should be expected. However, the ICANN program -- as explained in its comprehensive 350-page Applicant Guidebook and supporting documents -- contains numerous safeguards, restrictions and incentives to make new gTLDs more secure and less prone to fraud than the existing gTLD space.

New gTLDs will help secure the infrastructure

Since ICANN's goal is to encourage competition and innovation, new gTLD operators will be given a degree of flexibility in how they run their businesses. But when it comes to managing their infrastructure, ICANN has put in place some strict rules. Not only must new gTLD registries be rigorously standards-compliant in terms of their basic registration services, they are also required to adopt security-aware protocols like DNSSEC and IPv6.

DNSSEC (Domain Name System Security Extensions) is an upgrade to the current DNS protocol that enables greater levels of trust. Using cryptographic keys, domain name look-ups are digitally signed, helping to prevent a whole class of man-in-the-middle attacks, including the one caused by the notorious Kaminsky Bug. Broad DNSSEC adoption may also enable new, innovative security services that we can only imagine today.

Organizations applying for new gTLDs agree to implement DNSSEC as part of the standard Registry Agreement that they must sign before going live. Some may even choose to make DNSSEC mandatory for their customers' domain names, offering value-added services to create a more secure zone. By enforcing DNSSEC compliance, ICANN will likely help jump-start the rollout of this security standard.

IPv6 support is a scored component of ICANN's evaluation criteria. New gTLD registries will be required to operate at least two IPv6 name servers, as well as offering services such as WHOIS over IPv6. They must be able to support IPv6 glue records, enabling domain name registrants to address their own name servers using the protocol.

Many new gTLDs will discourage fraud

Mindful that criminals often use domain names to hoodwink Internet users, the ICANN community has spent years creating a raft of new measures designed to limit the potential for new gTLDs to be used for fraud.

Domain Name RegistrarsFirst, new gTLD applicants will undergo a thorough background check to ensure that no disreputable entities are able to take charge of their own top-level piece of the Internet infrastructure. The $185,000 application fee and the rigorous technical and financial evaluations will also help filter out potential wrongdoers. Every application will also be published for public comment; any Internet user will be able to view details about the applicant and its plans, which will help raise issues of concern.

Many expected new gTLD business models will have security baked in from the outset. Take the “dot Brand” concept, for example. Companies that are particularly prone to counterfeiting and phishing will be able take control of their own branded space on the Internet. To pick some hypothetical examples, Pfizer could apply for .viagra or Gucci could apply for .gucci. Because these dot-brands would be restricted to the brand owner and/or its licensed retailers, these gTLDs stand to instill a sense of confidence in consumers when they buy branded products online.

A similar benefit will emerge from gTLDs representing industries that are currently vulnerable to attacks such as phishing. For example, a ".bank" address could be a hallmark of a vetted, authorized provider of financial services. Unlike gTLDs such as .com and .info, which are open to all by design, many new gTLDs will be restricted to manually approved registrants, meaning that cybersquatting and typosquatting in those vertical name spaces would be very difficult. The benefits of dot Brands and dot Industries will require marketing to be fully realized, and will not arrive overnight, but in the longer term they will create a more robust, trustworthy Web.

For less-restricted new gTLDs, ICANN has also created a number of rights-protection mechanisms that will help brand owners more effectively combat fraud. A new Trademark Clearinghouse will support two services designed to protect brands from cybersquatting during the launch phase of new gTLDs. A newly designed Trademark Claims service puts both brand-owner and potential registrants on notice of a possible cybersquatting challenge at the point of sale, while a Sunrise service will dramatically simplify the process of obtaining defensive registrations, should brand holders wish to participate.

All new gTLD applicants will also be scored against their willingness to introduce new WHOIS services. A promise to offer a WHOIS database searchable by the name of the registrant earns an applicant extra points during the ICANN evaluation process, for example, as does a commitment to verify that WHOIS data is accurate. These measures will make it harder for the bad guys to obtain domain names fraudulently and will make spotting patterns of bad faith much easier to spot.

Overall, the new gTLD program will create domain name registries with a much greater level of security than many of those in existence today. While nobody can predict the future (and criminals have a tendency to look for loopholes in any process), the safety measures ICANN has made standard for new gTLDs should help to ensure that this unprecedented expansion of the domain name system has a net benefit on the security and stability of the Internet.

Subscribe to the SecurityWeek Email Briefing
view counter
Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.
view counter