

ICANN bans dotless domains - itafroma
http://www.icann.org/en/groups/board/documents/resolutions-new-gtld-13aug13-en.htm

======
xSwag
An XSS vulnerability on a dotless domain can lead to XSS on the entire tld.
See top level universal XSS[1]

[1][https://superevr.com/blog/2012/top-level-universal-
xss/](https://superevr.com/blog/2012/top-level-universal-xss/)

~~~
maxjus
Here's the best part -- these websites are built terribly and are very open to
this sort of thing.

After about 2 minutes of looking, I've just found that nic.io (or just io.)
basically lets you type arbitrary html into the search boxes. Chrome's built
in XSS auditor catches any scripts you put in there, but (at least) Firefox
doesn't.

Check it out:

[http://io./cgi-
bin/whois?query=%3Ca%20href=%22%22%3E%3Cu%3EA...](http://io./cgi-
bin/whois?query=%3Ca%20href=%22%22%3E%3Cu%3EArbitrary%20HTML!%3C/u%3E%3C/a%3E%3C/h3%3E%3Cimg%20src=%22http://humananatura.files.wordpress.com/2011/08/hn-
initials.jpg%22%3E%3Cscript%3Ealert\('this%20will%20pop%20up%20in%20firefox!'\);%3C/script%3E%3Ch3%3E)

If you load it in Firefox (or any browser without an XSS auditor) it'll pop an
alert, otherwise you'll just see the image I loaded and a link I inserted.

This is ridiculous.

~~~
mintplant
I attempted to notify them of this, but their contact form validator rejects
anything I put into it. The whole site is a mess.

~~~
tankenmate
Contact the ccTLD compliance (!!) team at ICANN;
[http://www.icann.org/en/resources/compliance/cctld](http://www.icann.org/en/resources/compliance/cctld)

------
im3w1l
Whereas, that was long and detailed, I am still not entirely sure what
security and stability risks it is supposed to address.

~~~
kijeda
The IAB put out a statement “Dotless Domains Considered Harmful” that explains
some of the risks if ICANN changed the rules to allow them. As it stands, they
were already prohibited and this resolution reaffirms that.

[http://www.iab.org/documents/correspondence-reports-
document...](http://www.iab.org/documents/correspondence-reports-
documents/2013-2/iab-statement-dotless-domains-considered-harmful/)

~~~
itafroma
> As it stands, they were already prohibited and this resolution reaffirms
> that.

Slight nitpick: they were prohibited only without prior ICANN approval (second
whereas). Companies like Google attempted to get that approval (Google wanted
"search"), which spurred ICANN into making a decision about what circumstances
they would allow them. This decision essentially states ICANN won't approve
any dotless domains.

------
ddol
Poor Anguilla - [http://ai./](http://ai./)

~~~
walid
WTF! So "ai" is a sub domain of nothing!?

~~~
chewxy
DNS root domains have no names. That makes [http://ai/](http://ai/) a fully
qualified domain name. But apparently ICANN has now banned such things. Gods
know why. My eyes glazed over after the 10th "whereas". That document reads
like a legal document. Ugh

~~~
nknighthb
> _That document reads like a legal document._

That's because it is.

------
infogulch
Awesome, so when can SSL certs be valid signers for all subdomains now that it
can't be abused at the level of tld?

~~~
delinka
Do you mean like a wildcard certificate?
[http://en.wikipedia.org/wiki/Wildcard_certificate](http://en.wikipedia.org/wiki/Wildcard_certificate)

~~~
hwatson
Wildcard certificates are only valid for the subdomain level directly under
it. [1] If I get a wildcard certificate for example.com (the common name is
set to *.example.com), foo.bar.example.com will throw an error.

[1]
[https://en.wikipedia.org/wiki/Wildcard_certificate#Limitatio...](https://en.wikipedia.org/wiki/Wildcard_certificate#Limitation)

~~~
duskwuff
The specification isn't particularly clear, but it seems to me that RFC 2818
section 3.1 [1] could permit some dangerously broad wildcards like " _.com ",
"www._.com", or even " _._ ". Combined with subject alternate names, it may be
possible to create a certificate that's valid for almost anything.

[1]:
[http://tools.ietf.org/html/rfc2818#section-3.1](http://tools.ietf.org/html/rfc2818#section-3.1)

~~~
jasomill
IIRC, top-level and "match all" wildcard certificates were originally
permitted by design ( _e.g.,_ for intranet and proxy applications), but most
modern browsers block them for security reasons.

------
kaoD
Why so many "Whereas" ?

~~~
eksith
It's legalese for establishment.

------
rdl
I miss having r@ai although it did also cause problems at MIT (due to people
using stuff like rstallman@ai[.mit.edu.]

The best address ever was n@ai which was Ian Goldberg (nai, ian).

------
nilved
This contrasts strangely with gTLDs. I feel like it defeats their entire
purpose if you need to use a subdomain of them.

~~~
mcintyre1994
As an example, Google wanted some of their applications to be dotless, eg.
Http://search and [http://app](http://app).
[http://m.techcrunch.com/2013/04/10/google-wants-to-
operate-s...](http://m.techcrunch.com/2013/04/10/google-wants-to-operate-
search-as-a-dotless-domain/)

------
eru
Don't all domains have a dot at the end? Even io is properly io. with a dot.

