The Internet Corporation for Assigned Names and Numbers (ICANN), the governing body that is a steward for the Internet domain naming conventions, announced in October that they will expand the domain name system (DNS) to include non-Latin characters (non- English) for the first time. So in addition to English domain names, starting in 2010 there will domain names in Chinese, Arabic, Russian and other languages over time.
Domain names-the Internet addresses that end in “.com” and other suffixes-are the key addresses behind every Web site and e-mail address. Since their creation in the 1980s, domain names have been limited to the 26 characters in the Latin alphabet used in English-A-Z-as well as 10 numerals and the hyphen. Technical tricks have been used to allow portions of the Internet address to use other scripts, but until now, the suffix had to use those 37 characters.
This is an exciting event for the hundreds of millions of online users whose native language is not English. However, how will this impact network security going forward?
The well-known security researcher Dan Kaminsky is famous for a critical flaw he found in the Domain Name Service protocol last summer. DNS is the protocol that translates domain names (such as zonealarm.com) to the numeric Internet Protocol address (such as 188.8.131.52). By exploiting the flaw, Kaminsky discovered a DNS server can be tricked into resolving the domain name to a different IP address.
This would allow the attacker to trick someone visiting CityOnlineBank.com to a fake replica of the website that they control. The user would unwittingly give their online bank password to the attacker’s fake website. This is called DNS Hijacking.
That vulnerability has since been patched, but the DNS protocol itself in many ways remains fundamentally insecure. With the advent of non-Latin domain names, could we be heading into a nightmarish scenario with rogue cyber terrorists?
DNSSEC is a proposed protocol that would secure the DNS protocol using public key encryption, but its adoption has been slow due to many factors. It is notoriously complicated to implement and maintain.
With the domain name system vulnerable, a website’s “forgotten password” feature also becomes an easy target to hackers. By hijacking the CityOnlineBank email.com, an attacker could then go to Facebook, Ebay, or any number of online web services and request a new password sent to a user’s email address. This password would then be intercepted by the attacker when it is sent not to the real CityOnlineBank email.com, but the fake one in the control of the attacker. The real user is never involved or aware of the attack at any point.
So the broadening of the Internet to include non-Latin characters is a great thing for the world, but could usher in a new round of security troubles.