PayPal has warned of a looming security crisis over new top-level domains such as ‘bank’ and ‘corp’ – due to be brought into use later this year.
New generic top-level domains (gTLDs) are expected to come into service this year, with more than 2,000 applications being reviewed by ICANN (the Internet Corporation for Assigned Names and Numbers). The new addresses will allow sites more free rein to create internet addresses. But PayPal’s Risk Management team believes this could lead to disaster.
In a letter to ICANN, Paypal executives claimed that new top-level domains would create an “extraordinary” potential for “malicious abuse”, and would immediately be targeted for attack.
The problem, according to the letter from Brad Hill and Bill Smith of PayPal’s Information Risk Management is that many of the proposed new domains, such as “home”, “corp”, “lan” and “domain”, have been informally used for internal addresses, sometimes for decades.
This means that a corporate laptop, taken out of its home network environment, could leave sensitive information such as plain text passwords and usernames at risk.
“The potential for malicious abuse is extraordinary, the incidental damage will be large even in the absence of malicious intent, and such services will become immediate targets of attack as they inadvertently collect high value credentials and private data from potentially millions of systems,” the letter says.
“ICANN should consider the substantial and severe costs imposed on the general Internet community arising from delegation of names that have been common de facto private network suffixes for nearly two decades.”
Author Rob Waugh, We Live Security