Oh IANA, don't you pwn for me

Blog Post created by rapid7-admin on Jan 26, 2011

Originally Posted by Derek Abdine



So there I was.  An uneventful Sunday morning watching the Colbert Report on my DVR when a commercial for Overstock.com flashed on my screen.  Overstock was touting their newest site address: o.co.  Easy for customers to get to! Frustrating for whoever owned o.com.  I thought this was  a great idea on their part--a site address that is as incredibly easy to remember as it is fast to type.  Indeed, the introduction of the .co TLD will offer businesses many new ways to reach their clients.  However, in a world full of domain name snatching the .co TLD is ripe for abuse.


It was surprising to me (or maybe not so much?) that IANA picked .co instead of something like .corp.  Such a choice for a tld makes it easy for someone to mistype .com and end up in the Bank of Malory instead their intended destination. The flood gates have already opened and .co domains are being snatched up like crazy.  This is creating a unique opportunity for some people--steampowered.co (not to be mistaken for steampowered.com which is Valve's game content delivery platform) has been taken up and held hostage for ads.  Yes, over time this may settle down.  Over time this may become less of an issue because Valve will eventually (hopefully) register a dispute for the domain name.  However, this represents a unique opportunity for all phishers alike. 


This creates even bigger problems for SaaS service providers.  Thankfully many banking organizations such as BofA, Citi, etc. have already secured these names.  At the time of writing, hsbc.co (again, not to be mistaken with hsbc.com) was snapped up by some Colombian internet service provider.  What kind of services hiding valuable data could be offered with SaaS?  CRM? Vulnerability Management? Banking?  It's literally a wide-open world and a golden opportunity for malcontent. 


Something else to keep an eye on would be the potential for SSL fail.  What is the probability that say, a browser vendor used substring matching on the certificate CN with the hostname? 


My prediction for 2011:


1. A ton of domain disputes.
2. Phishing attacks on the rise.
3. An abundance of SSL fail.


Happy new year!