[NCAP-Discuss] Additional comments on the comments to the Scarfone Draft
Rubens Kuhl
rubensk at nic.br
Wed May 6 23:27:41 UTC 2020
> On 6 May 2020, at 19:57, Danny McPherson <danny at tcb.net> wrote:
>
> On 2020-05-06 17:42, Rubens Kuhl wrote:
>
>> This is WPAD, which I already mentioned as suggested by then
>> applicants as a string to be blocked at the 2nd level and as one of
>> the few discovery protocols not using _.
>
> But it's not blocked Ruben and those same queries are still leaking post CI and users are at risk that's precisely the point! -- it's not blocked in the example domains they have in their attack and exploitation blueprint and it's actually being sold as.a premium in some new gTLDs and for sale all over the new gTLD retail and secondary market -- this precisely illustrates the issue here where users and consumers are at risk.
Which for me suggests either an advisory or policy blocking WPAD from registration at all TLDs, not something specific to new gTLDs. For instance, wpad.com <http://wpad.com/> and wpad.net <http://wpad.net/> are much more harmful since those TLDs have lots more registrations... they are registered, and for now we depend on the good intentions of the registrant of those domains (it's the same organisation), the same situation we had with corp.com <http://corp.com/>.
>
> But WPAD is the obvious one, there are thousands of DNS Service Discovery protocols and others that are problematic for reasons outlined in numerous peer-reviewed research that's been cited here (and that ICANN funded early on, even) - you can continue to ignore it for whatever reason you choose but these protocols and namespace collisions result in billions of queries to the root and can be exploited to enable MiTM attacks well after delegation and CI - e.g., precisely the same as the corp.com coffee shop example that is an artifact of .CORP and search list processing.
As I mentioned before, except WPAD, all the ones I've seen it the wild use underline compositions (like _tcp and _udp), making those vectors non-exploitable with domain names. So I will ask again: how many and how harmful are those that do not use _ ?
> I don't believe "Let's let law enforcement solve the problem nothing to see here" is an answer the board would want to hear or this working group should offer.
I mentioned that in the past, as in we would have known thru LEAs after the many years of the program if something was exploited in the wild.
The detection cycle would be too slow for us to decide on future endeavours, but fact is that with so many years behind us, we know that the TLDs delegated in the 2012 round didn't cause it.
But, the delegation of .web might cause it, since Web is very meaningful and largely used. Shall we stop the path to .web delegation to prevent the risks you mentioned ?
Rubens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ncap-discuss/attachments/20200506/7be72721/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/ncap-discuss/attachments/20200506/7be72721/signature-0001.asc>
More information about the NCAP-Discuss
mailing list