Every .io Domain Could Have Been Taken Over
A Mistake Made By .io Registrar Highlights Problems With Vanity Domains
Researcher Matthew Bryant was able to successfully take over the entire .io TLD after a slip-up by its operating registry left authoritative nameservers – a vital part of the DNS system which controls where requests are routed – freely available.
The mistake was noticed by Bryant earlier this month while conducting scans of DNS servers (he has a history of finding security vulnerabilities with other TLDs). Unexpectedly, he found that one of .io’s authoritative name servers was available to register. Authoritative name servers are DNS servers that control resolution of all domains for a given zone, in this case .io. This essentially gives you complete control of the zone because you can now control what IP address any domain routes to.
Not only is that a major security vulnerability – because requests for LegitimateSite.io could be routed to any server while still appearing to be the correct domain – but this could also be used in a denial of service attack to make .io sites inaccessible.
Upon further investigation, Bryant was able to register the domains used by four of the seven authoritative nameservers for the .io TLD. Those domains had been available for weeks, available to register by anyone willing to pay the $90 fee. Once again we are lucky that researchers are looking more closely at internet infrastructure than criminals.
The error has highlighted just how much trust and vulnerability lies with registries, a fact often ignored when we choose to use “vanity” domains, which are often operated by smaller and – in this case – poorly managed registries.
Officially, .io is a ccTLD, or Country Code Top-Level Domain, intended to be used by the Chagos Archipelago in the Indian Ocean. However it has become popular amongst tech-related services and companies due to its similarity to “I/O,” which means Input/Output.
Domains that incorporate the TLD to spell a word or appeal to a niche are known as “vanity” domains. Libya’s .ly TLD is probably the most popular vanity TLD, known for sites such as Bit.ly and Owl.ly.
.Ly has also had its own problems – the realities of being operated by an oppressive regime at war has tempered the popularity of their ‘fun’ TLD. .Sy, operated by Syria, was also a popular vanity domain until it became violation of US law to pay for them.
As for .io, the nameservers became available after Internet Computer Bureau, the company given legal authority to operate the .io domain, outsourced most of the operation to another company, Afilias, which specializes in managing TLD
Afilias told The Register that “ordinarily, when a TLD transitions to the Afilias system, 100 per cent of the DNS is also moved to Afilias nameservers.” However, in this case, Internet Computer Bureau held onto operation of the nameservers, and Afilias did not properly mark all of those domains as unavailable.
In 2014, Paul Kane, Director of Internet Computer Bureau, said that they had been given the rights to operate .io “more or less indefinitely, unless we make a technical mistake.” This certainly counts as a technical mistake, but maybe they will be given another shot since no harm was done.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown