Enter the Matrix: Which .HOME is the real .HOME, Neo?

FairWinds Partners —  April 5, 2013

Verisign recently released a report highlighting a key security concern surrounding the new gTLD roll-out:  Intranet extensions like .local or .home.  How can such seemingly innocuous (and even comforting) words represent a serious security concern?

Apparently, the answer is when the formerly “homegrown” Intranet extensions are also launched in the world wide web as Internet extensions.

FairWinds Managing Partner Phil Lodico observes that some large enterprises have and continue to use “generic” TLDs within their networks. Because these TLDs are specific to a company’s own network, one enterprise in New York City could have an internal TLD named .local and another enterprise in Boston could have a completely separate .local on its network. The two networks are not connected, and so it doesn’t matter that there are two .local TLDs.

However, as Versign points out, some of these internal networks received digital certificates for their internal TLDs. (An example of a digital certificate is the little lock, or Secure Sockets Layer (SSL), that appears at the bottom of a webpage to indicate that it is safe to complete a financial transaction from that site.) In the example of .home, a disgruntled employee with access to one of the network-specific SSLs on .home could spoof a credential for a website such as Nike.HOME or HSBC.HOME.   In the reverse scenario, an employee of a company with an Intranet that uses a soon to be “real” Internet TLD could be vulnerable to an attack if they attempt to access their Intranet version of “.home” while outside of the network.

In this parallel cyberspace scenario, is it the internal network’s problem that they created an Intranet using a generic extension when ICANN has stated since its inception that there would be new gTLDs – some of which would be generic?  Or is it ICANN’s fault because it oversees the entire space?  Ultimately, Lodico concludes, the burden lies on the Intranet network operators and ICANN leadership.  Cyber space is comprised of both and must safely coexist.

Where’s Keanu Reeves – er, Neo – when you need him?