You’re used to seeing domains ending in .com, .net, and many other of
what are called the top-level domains.
But … .bank? .microsoft? .paypal?
Perhaps even .leo? .askleo?
ICANN, the Internet Corporation for Assigned Names and Numbers, is in the
process of rolling out the ability to purchase your own top level domain. It’s
not cheap (you won’t be seeing .askleo any time soon), but it is
Unfortunately, one of the expected side effects is a massive increase in
phishing attempts. And if you’re not careful, you could fall victim.
New top-level domains
The concept is very simple: there’s no technical reason that the internet should be limited to domains that all end in one of a small set of tightly controlled top-level domains or TLDs.
They are somewhat useful – aside from the ubiquitous .com, .net, and other generic TLDs (gTLD) – most of the existing TLDs be used to identify the country of registration. Even though some countries don’t restrict registration (Bit.ly, for example, is not related to Libya, and about.me has nothing to do with Montenegro), many, if not most, do.
But those are all standards of convenience – there’s really no technical reason that TLDs need to be limited to only that set.
And, beginning this year, they won’t be.
For the modest sum of $185,000 US, you can apply for a new, generic top-level domain (there is an application process and certain requirements must be met).
Assuming that you are successful and gain ownership of that domain, then you control what happens on that entire top level domain. Were I to own .leo then I could create ask.leo as a domain for my website or mail. (Don’t worry, I don’t have a spare $185,000 to do it.)
The introduction of new, open gTLDs has been fairly controversial.
Some have likened it to a protection racket, encouraging companies and other institutions to purchase related top level domains, even if they had no intention of using it. “I’d sure hate to see someone register your gTLD and damage your name – but for only $185,000, you can protect it”.
Many have expressed concerns that ICANN has ignored consistent and negative feedback from the tech community before proceeding with the gTLD expansion.
Regardless of the confusion, or even the varying opinions on the matter, it appears to be here.
The risk to the average user
On the surface, it appears to be fairly benign to the average user, but even without purchasing a single new gTLD, the fact that they might exist enables a whole new world of phishing.
Imagine receiving a message that appears to be from your bank:
Here at [bank name], we’re proud to announce that we’re changing our web address from the old [bank name].com to the fantastic and wonderful for our customers [bank name].bank.
Followed by an obfuscated URL, encouraging you to “login with your credentials” as needed for the change. (See Coming in your Future! – “An important message from your .bank!” from Lauren Weinstein’s excellent Network Neutrality Squad and People For Internet Responsibility mailing lists for the complete example.)
While the possibilities for phishing attempts leveraging the confusion surrounding domain names far exceeds just the potential .bank gTLD, that one has enough issues alone that the European Banking Authority has told ICANN it believes that proposed financially-oriented gTLDs such as .bank are dangerous and should be banned. Beyond simple phishing, the concern here is that having a .bank domain might imply more – such as regulation and perhaps even legitimacy – to consumers that it would actually warrant.
The new TLDs might be moot in practice
What’s interesting here is that the new gTLDs might well be trying to fix something that for all intents and purposes isn’t broken.
Part of that is simply that many people don’t use top-level domains the way we might think. Many don’t type them in at all – ever – relying instead on search engines to act as their navigational portal to the rest of the internet.
For example, Google’s #1 search term for 2011? Facebook. Not because people couldn’t find Facebook, but because they were entering “facebook” into the search engine as their way of going to Facebook.
Facebook’s actual domain would be irrelevant as long as it was the first search result that people would click on.
The same has been true for other popular sites for a long time. The terms “Hotmail” and “Yahoo” have also ranked highly for the exact same reason.
In a world where people use search engines as a primary navigation tool, actual domain names become significantly less relevant, regardless of what top level domain they happen to be on.
What this all means to you
I think it boils down to two very simple things:
Distrust new top-level domain names by default. I know I will. I’m not saying avoid them completely, but I am saying think twice before visiting any site that uses a gTLD that you don’t recognize. An overabundance of caution is absolutely called for, particularly until the new ecosystem of domain names and owners settles down.
Don’t fall for phishing. This isn’t new, but the risks of phishing attempts that will no doubt accompany the confusion surrounding new top-level domains will be significant. The old adage of not clicking on links in email that you aren’t 100% certain of applies now more then ever. If you’re the least bit uncertain, avoid the email and visit the site that it claims to be from directly – using extreme caution if it’s a new gTLD based domain. Consider using a search engine to find the correct URL.
Hopefully, with luck and a little bit of caution, we’ll look back in a few years and think of this as a non-issue. Unfortunately, the risks until then remain high.