Every .io Domain Could Have Been Taken Over
A Mistake Made By .io Registrar Highlights Problems With Vanity Domains
Researcher Matthew Bryant was able to successfully take over the entire .io TLD after a slip-up by its operating registry left authoritative nameservers – a vital part of the DNS system which controls where requests are routed – freely available.
The mistake was noticed by Bryant earlier this month while conducting scans of DNS servers (he has a history of finding security vulnerabilities with other TLDs). Unexpectedly, he found that one of .io’s authoritative name servers was available to register. Authoritative name servers are DNS servers that control resolution of all domains for a given zone, in this case .io. This essentially gives you complete control of the zone because you can now control what IP address any domain routes to.
Not only is that a major security vulnerability – because requests for LegitimateSite.io could be routed to any server while still appearing to be the correct domain – but this could also be used in a denial of service attack to make .io sites inaccessible.
Upon further investigation, Bryant was able to register the domains used by four of the seven authoritative nameservers for the .io TLD. Those domains had been available for weeks, available to register by anyone willing to pay the $90 fee. Once again we are lucky that researchers are looking more closely at internet infrastructure than criminals.
The error has highlighted just how much trust and vulnerability lies with registries, a fact often ignored when we choose to use “vanity” domains, which are often operated by smaller and – in this case – poorly managed registries.
Officially, .io is a ccTLD, or Country Code Top-Level Domain, intended to be used by the Chagos Archipelago in the Indian Ocean. However it has become popular amongst tech-related services and companies due to its similarity to “I/O,” which means Input/Output.
Domains that incorporate the TLD to spell a word or appeal to a niche are known as “vanity” domains. Libya’s .ly TLD is probably the most popular vanity TLD, known for sites such as Bit.ly and Owl.ly.
.Ly has also had its own problems – the realities of being operated by an oppressive regime at war has tempered the popularity of their ‘fun’ TLD. .Sy, operated by Syria, was also a popular vanity domain until it became violation of US law to pay for them.
As for .io, the nameservers became available after Internet Computer Bureau, the company given legal authority to operate the .io domain, outsourced most of the operation to another company, Afilias, which specializes in managing TLD
Afilias told The Register that “ordinarily, when a TLD transitions to the Afilias system, 100 per cent of the DNS is also moved to Afilias nameservers.” However, in this case, Internet Computer Bureau held onto operation of the nameservers, and Afilias did not properly mark all of those domains as unavailable.
In 2014, Paul Kane, Director of Internet Computer Bureau, said that they had been given the rights to operate .io “more or less indefinitely, unless we make a technical mistake.” This certainly counts as a technical mistake, but maybe they will be given another shot since no harm was done.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown