Security

Why you should prepare for the domain expansion plan

domainname
Image Credit: Shutterstock

Internet entrepreneurs may have their pick of millions of new domains by summer’s end.

That’s because the Internet will soon include dozens — or even hundreds — of new top-level domains, the “extensions” that appear at the end of a domain name, like .com or .edu.

For new businesses, the expansion offers a spate of exciting new possibilities to choose from, including “.music” or “.store.” Hundreds of top-level domains may also be available in a variety of languages, including Chinese and Arabic, as well as brand names like “.apple.”

The plan has received a green light from Internet Corporation for Assigned Names and Numbers (ICANN), the nonprofit organization that regulates and manages domains. ICANN has received over a thousand proposals for new top-level domains. The organization approved the first four new top-level domains Sunday at an international conference for industry officials in Durban, South Africa.

But security experts say the plan has unforeseen — and potentially disastrous — consequences for consumers and brands.  VentureBeat has called on some experts to find out what you need to know.

Consumers: Approach with caution

We cannot stress this enough: Do you not hand over your credit card information just because the website has a legitimate-looking domain name, like www.mac.apple or www.harvard.law.

These new domains will be open for the taking — and for possible hijacking. Cyber-squatters may be looking to exploit a company’s brand or trademark. As David Mitnick, the founder of Domain Skate, put it in a recent article, “Cyber-squatters do a lot more than just confuse Internet users and hold your brand name hostage – they can send malware and dupe loyal customers into divulging personal information.”

Unsuspecting consumers will be hit with a new slew of websites with brands or trademarks they recognize and trust, whether it’s a “.ibm” or a “.law.” But these sites might be orchestrated by criminals attempting to capture data or payment information.

“These new domain names will make it easier for scammers and provide many more avenues to get payment information,” said Pieter Gunst, an Internet policy expert and lawyer.

It’s not just consumers who will pay the price.

“Online payment businesses will pay a high cost for fraud,” said Gunst, who is also the founder of LawGives, a startup that provides online legal services.

For this reason, payments giant PayPal has sharply rebuked ICANN for the expansion — and issued a stern warning to consumers. After all, increased incidences of fraud would drive up the cost of payment processing.

PayPal’s Information Risk Management officials Brad Hill and Bill Smith wrote a letter to ICANN in March: “The potential for malicious abuse is extraordinary, the incidental damage will be large even in the absence of malicious intent, and such services will become immediate targets of attack as they inadvertently collect high-value credentials and private data from potentially millions of systems.”

With ICANN downplaying these fears, Gunst recommends some best practices and steps that consumers can take to protect themselves:

  • Review the terms of use to see which organization is operating the service. Illegitimate sites are unlikely to have a terms of use, which is your first sign. Although be wary, as skilled criminals will create realistic-looking terms of use, which are simple enough to replicate.
  • The “s” matters. Always use HTTPS when you browse websites. The encryption within HTTPS is intended to provide benefits like confidentiality, integrity, and identity.
  • Do your research. Before handing out credit card information, perform at least a cursory check — on consumer review sites, not the site in question — to see if other consumers have complained about that site or service.

On a more positive note, Gunst believes that we are more aware of threats to security than we used to be. The domain expansion may be another “tool in the toolbox” of cyber-criminals, he said, but consumers can take effective measures against phishing.

Brands: Get prepared

The first step is to register a top-level domain (gTLD) now — and potentially avoid expensive lawsuits later. Some brands are setting aside thousands of dollars to win control of new domains. Amazon is already in hot water for its ongoing attempts to register .read, .author, and, of course, .book.

Companies should also make sure their network engineers and IT teams are aware of the security risks and have protocols in place.

Rumors have been spreading for months that hackers will have an easier time overriding encryption protections that safeguard corporate email servers and company intranets. Ars Technica fears that the introduction of domains such as “.domain,” “.localhost,” or “.belkin” could cause significant disruption for a number of networks.

If that were not enough, the Washington Post reports that if domains like “.med” come under attack, this could potentially slow down emergency responders or put lives at risk.

Finally, “Merchants need to be very active in informing their customers if they expand to any of these new domains,” Kate Scisel, an online payments expert and the COO of People+, told us. “And consumers must be vigilant when receiving solicitations or connecting with domains they are not familiar with,”

Early-stage startups: Don’t sweat it

All these new domains pose new opportunities for startups, and like major brands, many are beginning the preregistration process.

But Altay Guvenich, who runs a talent management agency for startup developers, is advising tech entrepreneurs to focus their energies elsewhere. Do not spend weeks contemplating a new domain.

“Founders should keep things simple. Do what you need to defend your brand, but don’t spend too many cycles on it,” Guvenich told me. “Your product or service will make or break your company. Not your domain name.”

After all, what’s in a name? Facebook was thefacebook.com for years; Dropbox was getdropbox.com.

ICANN: ‘It’s not like it’s a runaway train’

Jeff Moss, the chief security officer for ICANN, told the Washington Post that fears have been overblown. He argues that the expansion will occur gradually — and the organization will be in a position to deal with issues as they arise.

“It’s not like it’s a runaway train without recourse,” Moss said. “We’re not going to do anything that harms the security or stability of the Internet.”

ICANN has also stressed that only a small number of domains are likely to cause problems.

Note that ICANN stands to profit from the virgin Internet real estate — whoever gains control will sell licensing rights for the resulting new web addresses, with a portion of the revenues going to ICANN.

Security issues aside, Gunst believes that the “opening up” of the Internet is a good thing and in the long-run will help new Internet businesses succeed.

What are your thoughts on the domain name expansion plan? Let us know in the comment section below.