Unscrewing Security

RSSSubscribe to this blog
About Author

Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source. He is an independent consultant, writer, and speaker specialising in security education.

Contact Author

Email Alec

Twitter Profile

Linked-in Profile


Nominet: a website, by any other name, would be more secure?

Nominet propose to allow domain names directly under ".uk"; this is better?

Article comments

So Nominet - the people who own, manage and monetise the top-level .uk DNS domain - propose to allow creation of domain names directly under the UK suffix (PDF).

Thus instead of inflatable-widgets.co.uk you could instead own inflatable-widgets.uk, and it is argued that this is somehow better.

I would argue that in terms of the value it offers, the proposition is actually an irrelevance and potentially harmful overall.

Having top-level domains like ".uk" is certainly an elegant way to distinguish local services like www.gov.uk from www.gov.au - but you can see even in the titlebar of this posting that internet users at large have adopted many diverse ways of naming themselves.

For instance ComputerworldUK is www.computerworlduk.com rather than computerworld.co.uk which is something else entirely; our parent publication is at www.computerworld.com and yet from a business perspective we get along just fine.

Apple do something more interesting: the national Apple domains - www.apple.co.uk, www.apple.de, www.apple.kz, www.apple.com.br - largely redirect to localised content held on the main apple.com website; the exception to this seems to be Apple China but I suspect there are political reasons for that.

Amazon have toed the traditionalist line on domain names so that www.amazon.com is distinct in business and products from www.amazon.co.uk.

All of these different approaches exist, all of them are successful, and there are no (nor should there be) laws to prefer one approach over the other; were the UK Government to suddenly require that:

[...]all companies doing business in Britain or with British citizens must have a .uk domain name

...there would quickly be a revolt and U-turn, or else a collapse in business.

This is because there is no such thing as British Cyberspace, nor indeed is there any other identifiable "natural" national boundary to the flow of information.

Cyberspace is speech, not land.

How The Game Works

The flipside of all boundaries being virtual in cyberspace is that companies which sell virtual real estate can virtually print their own money.

This is literally true with Second Life or other games where the "land" you sell is not the scarce, finite resource that it is in the real world - when they run out of space at Linden Lab they just add more hard drives rather than invade another continent. They have perfect control over supply and can set their own price to reflect or drive demand.

But this also happens with domain registrars, especially those which can create their own namespaces.

The dialogue goes a bit like this:

  1. You make Inflatable Widgets, therefore you should get inflatablewidgets.com so that people can buy from you!

  2. And you should buy inflatable-widgets.com in case someone cybersquats it

  3. Plus you should buy inflatable.widgets.com to improve your SEO

  4. And inflatablewidgets.biz

  5. And inflatablewidgets.net

  6. And their hyphenated equivalents

  7. Plus you should buy inflatablewidgets.co.uk so your trademark is not diluted in the UK

  8. We can also register you in Germany, France, and Benelux (x3) for a modest fee per domain...

  9. You forgot to buy inflatable-widgets.co.uk to stop the evil cybersquatters diluting your trademark and stealing your business

  10. Are you a Public Limited Company? Then you need to own inflatablewidgets.plc.uk!

  11. No? How about inflatablewidgets.ltd.uk?

  12. Hey! Soon you can be inflatablewidgets.uk (and inflatable-widgets.uk too) - Interested?

...and this is where we now are.

For more than 20 years - even in the email era - we had a notion that national boundaries often (rather than occasionally) needed to be reflected in internet communications, and that defensive registration (the above process) was valuable protection against confusion.

The truth today is that to do business on the internet you need only to be findable and look reasonably professional; rather than pick a website language by target domain name - Bienvenue sur www.inflatablewidgets.fr! Vous êtes maintenant définitivement obligé d'utiliser la langue Française - you can instead geolocate IP addresses to speak to new users in their own language.

If you now build a customer base, a reputation and a community then social media and the search engines will take care of the rest, even if you have but a single domain name. A wise company is one which now expends time building its business rather than fighting shadows.

Fears of trademark dilution and cybersquatting remain relevant but we have appeal processes and amendable laws regards passing off fake goods and regards outright fraud, so challenges ought to be addressable; plus frankly you can still buy the domains if you are worried about your trademark being diluted in Kazakhstan.

What if you sell phonebooks for a living?

Question: So DNS is now commoditised and may even start to fade in importance; what can the likes of Nominet do to make it attractive again?

Answer: Add Value! Sell the new domain names as being more secure!

Thus: (PDF)

We are therefore proposing to include routine monitoring of domains for malware and viruses on the domain name as part of a new direct.uk service. [...]

Swift notification would enable registrants to take rapid action, allowing their domain to get back online swiftly and thus mitigating the impact on their search engine rankings [...]

As such, we believe that registrants should be required to resolve the infection following notification as soon as reasonably possible in order to preserve the integrity and trust of the direct.uk space. [...]

We would also propose to include a visible trust mark to indicate this enhanced security to customers of the domain, which would increase the benefit to registrants by demonstrating a higher level of security. [...]

We are also proposing to include mandatory DNSSEC signing. This is a security protocol that adds a 'digital signature' to a domain and is considered to be a critical part of securing the internet from cybercrime. It was developed to provide digital authentication / assurance of domain name queries. It reduces the risk of a domain being hijacked and helps to ensure that the user reaches the domain that they intended to, by providing a secure 'chain of trust' from the registry through to the end internet user. [...]

There are a bunch of worrying aspects to these proposals, first and foremost would be the question of what this would do to the rollout of DNSSEC to the whole of the rest of the .uk domain? The FAQ excuses this by saying:

It would be unfair to retrospectively impose a new suite of features and requirements on co.uk or any of our other TLDs. .co.uk is already very successful and not all of the existing registrants would want or need the features we are proposing to include in the new service. We are expanding the portfolio to provide a greater choice within the respected .uk portfolio for businesses.

...which seems to translate as we propose to create an UK DNS hierarchy with two tiers of security against DNS hijack, and will cast adrift all of the existing domains because fixing them is hard work and involves other companies it's a product differentiator.

The further propositions are:

Nominet will police your website and if they find "malware" (whatever that may be) on your shoddily-maintained CMS then they will knock you off the net for the good of us all; this is an elitist gated community approach to domain-name provision, but (worse) it sets-up Nominet in an authoritarian role as well as treading on the toes of other entities which should be in the stack - your sysadmin, your security team, your content provider, your ISP...

Thank you, but I don't want Nominet rattling my doorknobs and kicking me off the net just because a comment on my security blog triggered their malware signature detector. It's hard enough keeping websites up without them being spontaneously de-registered by flaky AV software.

And would they recognise malware before the antimalware companies can? And would Nominet underwrite damages claims against users of direct.uk if third parties become infected? I suspect not.

Someone will have tried to sell this idea as a natural extension of "Broken Windows Theory" as applied to "British Cyberspace", something like:

We will find the diseased websites and remove them from the Net until they clean up their act.

- but it's not really that, it's actually a quango trying to turn itself into a police-like organisation. Note the other proposals - kitemarks for quality and trust sound clever but they are only a step away from website ratings systems, classification and censorship. The suggestion of a "trustmark" at all is faintly disturbing because it suggests possible differentiation within the sites using the direct.uk domain itself, as if having the necessary direct.uk registration is not sufficient.

And what of (like Apple) a hypothetical www.inflatablewidgets.uk website being redirected to the respective .com domain; will a firm be more or less trustworthy for having a website which exists primarily outside the gated community?

The whole proposition is just too worrying.

Nominet exists to provide infrastructure and not to police the web; they could certainly improve the security of that infrastructure by adopting DNSSEC throughout (not that I am entirely sanguine about that) - but as proposed their solution puts me in mind of locking all the passengers deep in the bowels of the Titanic and then selling first-class ticket upgrades to let people out and at the lifeboats.

If this goes through I'd recommend people to save money, ignore national kitemarks and vote with their feet: go buy something in another domain elsewhere once that gets DNSSEC.

Follow me as @alecmuffett on Twitter and this blog via the RSS feed.

Email this to a friend

* indicates mandatory field






ComputerWorldUK Webcast

Advertisement
ComputerworldUK
Share
x
Open