Tuesday, May 30, 2017

“.brand” new gTLDs and Homograph attacks

Homograph attacks are a good reason to definitely get rid of “.com” and move to a “.brand” new gTLD. Here is why.
Most domain name extensions accept IDNs (Internationalized second level domains = non ASCII characters) and all browsers read them. The problem with IDNs is that they can be used to fake a domain name and if most browsers would detect homoglyphs and “translate” them, it is not the case for old browsers. On a “.brand” domain name extension, the Brand has the hand on domain name registrations and can control which domain is registered: not the case with “.com”. This article is the third update of an article written on the 18 of May 2017 and previously entitled “.brands" & Homograph attacks“.

Why protecting consumers matters
The reason why it matters for Trademarks to protect their consumers online is that their clients won’t complain to them nor they will ask their money back if they face an homograph attack. Image is important too...of course.

Restricted access to registering “.brand” domain names makes a huge difference in terms of security: attackers won’t have access to creating an homoglyph. They will on a “.com”.

What are we talking about?

Homograph attack free
An attacker will be able to launch an homograph attack using any open extension that accepts IDNs, but if he will be able to cheat, hiding inside the second level domain name using homoglyphs (when the registry allows them) or mistypes, he won’t be able to do it with a “.brand” domain name because he is not allowed to register such domain names. Only the owner of the “.brand” Registry is.

Recognition: the extension is the seal
With a client being trained by the Trademark to visit hyperlinks ending in a “.brand” domain name extension, he becomes used to it so the ending of an email received or a website visited certifies that the content is from the Trademark.

Beware of browsers
Some browsers, like previous version 57.0.2987.146 of Chrome (in Chromium) still translates homoglyphs. It means that examples below will still show in a browser!!!

Phishing and homograph attacks
In a phishing attack, you would receive an email asking you to click on hyperlink - which title would be “clicke here” - clicking would take you to a fake website (asking money or information). Such links can be double checked, passing the mouse on the hyperlink, so it becomes possible to see the real hyperlink prior to clicking. Some more sophisticated phishing attacks even offer mistyped domain names such as GuiІІon.com (fake site) for Guillon.com (real site). Note that the two letters “l” in the fake site are in fact two decimal “i”, a letter of the cyrillic script (it also works with “0” replacing “o”). When you pass your mouse on the hyperlink, you will note that the domain name shows two “i” (instead of two “l”). Phishing attacks are in fact spam campaigns asking you to click on a hyperlink to take you to a fake website.

Homograph attacks are the same but the problem is that the link you are asked to click onto...is the exact same “visually speaking” so you cannot double check if the link you are about to click onto is the good one or not. Homoglyphs are used here: they are words which letters’ shapes appear identical or very similar one to the other: International Domain Names (IDNs) are used here. A recent example given in the press was “epic.com” (real site), which is also “xn--e1awd7f.com” and “epic.com” (fake site). Try the two of them in version 57.0.2987.146 of Chrome’s address bar and you will note that both read to “epic.com”. The problem? They are two different websites under the exact same “.com” domain name. Imagine such an attack using your domain name: scary isn’t it?

Why change now?
If .BRAND new gTLD applicants still don’t know what to do with their own domain name extension, changing now allows:
  • To start training and informing their consumers to visit a new website: “this takes time”;
  • To homogenize their domain name portfolio and stop registering more domain names they will probably never use: there will be more domain name extensions created in the future and unless I am wrong, this means more domain names to register for any Trademark who wants to secure its assets.
  • To enhance their client’s level of security: chances are high that attacks’ level of sophistication won’t lower in the future and “.brand” domain names are a barrier to these.
Banks should consider
Banks who did not (yet) apply for their own domain name extension should consider using a .BANK domain name for the same reasons. Attackers cannot have access to “.bank” domain names since these are restricted to banks. In one word, it means that a bank can drastically increase its existing and future clients’ level of online security by using an extension which is not open to the public.

Making sense
Migrating to a single .BRAND new domain name extension makes sense if:
  1. All other domain names are redirected to new “.brand” domains so existing users are trained to visiting the new .BRAND domain name;
  2. Existing and new clients are informed about this change early in advance so it does not cause confusion;
  3. Existing and new clients are explained that all other information coming from other domain name extensions (emails or websites) are not certified coming from the Trademark.
The objective of such move is to:
  • Guarantee existing and future clients the highest level of security;
  • Lower the level of confusion due to the important number of new domain name extensions created;
  • Increase the level of trust with one single source of information.


Jim Schrand said...

Very relevant article, Jean. As you noted, in addition to .Brands, this protection applies to .Bank because they verify all registrants and will not allow a "fake" registration. There are a number of TLDs that also verify registrants, including .Autos, .Boats, .Homes, .Motorcycles, and .Yachts. A full list can be found on the Verified TLD Consortium site at https://www.vtld.domains/member-list/. This is a significant benefit to both registrants and consumers.

Jovenet Consulting said...

Doesn't this limit registrations?

Jim Schrand said...

Yes, all verified TLDs limit registrations. This is the process that eliminates the risk of homograph and similar attacks in .Brands, .Bank, and other verified TLDs.

Jovenet Consulting said...

Compatible with profitability?

Robert Desvalon said...

A recent study from Fairsight Security: https://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/

.BRAND new gTLD Reports are updated once a month: CLICK HERE !