FIC 2023 4 key issues for surviving in the Wild West of domain names

A domain name is anything but an innocuous gimmick. It is what conveys the name of a company or a product brand on the web. It is what translates the encrypted IP address of a website into an understandable, memorable name for every internet user. Domain names also have an extension, which categorises websites by geographical area (.fr for France, .de for Germany, .it for Italy or .com for the world) or by sector (.org for NGOs, .tv for media outlets, and so on). Ultimately, a domain name becomes the digital signature of an economic, governmental, non-profit or other stakeholder.

Issue 1: Registering domain names. Okay, but which ones?

Virginie Brunot, a lawyer specialising in industrial property at Lexing Alain Bensoussan Avocats, is very familiar with this first step: registering a domain name to prevent it from being registered by a third party (and thereby making it unusable by you) or, worse, by someone with malicious intent who diverts web traffic to a fake site for illegal purposes. For many years, companies have therefore adopted a simple (but relatively expensive) strategy: register as many domain names as possible to limit the risks of spoofing and protect themselves.

This strategy has now become economically unsustainable following the recent flood onto the market of new domain extensions – some 1,500 worldwide. Virginie Brunot therefore recommends looking at only those domain names that are essential to the company, usually .com, .fr for a French company and possibly .tv or .media for media outlets, for example.

Once you have registered your domain name with an approved registrar, Virginie recommends keeping a close eye on any new registrations for the domain names your company chose not to register. The aim here is to find out who is behind the registration and pre-empt any potential risk of malicious intent if the address subsequently becomes active.

Issue 2: Minimising the risk of domain name spoofing

This is undoubtedly the most crucial point in managing a domain name portfolio. If those domain names a company leaves available (because it considers them non-essential) should not go unmonitored, then the same is true of those domain names that are similar (to within one character, for example). The risk of becoming a victim of typosquatting is particularly high, and many fraudsters exploit this technique. Muriel Bochaton, sales director at domain registrar NameShield, says that this practice accounts for almost 15% of domain name disputes. And the consequences are not insignificant: internet users may fall victim to ransomware or have their devices infected with malware as soon as they connect to the pirate site.

The risk is even greater given that there is no requirement to check the identity of applicants wishing to register a domain name. In France, apart from “gouv.fr”, which is strictly off limits to anyone outside the French state, all extensions are available to anyone. They are assigned on a “first come, first served” basis according to the rules laid down by the global internet regulatory authority, ICANN (Internet Corporation for Assigned Names and Numbers).

Even in France, AFNIC (the French Association for Internet Naming Cooperation), which is responsible for the .fr domain, has relaxed its requirements and aligned itself with the international position. Identity checks on registrants are therefore very minimal, based only on their good faith and character, often without the need to provide a contact name, postal address or phone number.

This is why it is important to choose the right registrar when registering a domain name. Most registrars are private companies with a commercial interest. Some strongly encourage their customers to register their domain names with the new extensions they create and sell, but then shirk responsibility when an attack such as cybersquatting occurs and stay conspicuously quiet.

Issue 3: Protecting your domain names

According to Nicolas Pawlak, who keeps a daily watch on malicious domain names on his “Red Flag Domains” website, there is one vital thing to check that is often forgotten: the domain name registration expiry date. And this is before you even think about hacking or cybersquatting attacks. If you fail to renew your registration by the deadline, the domain name is once again available to anyone. It is therefore important to carefully manage these deadlines to avoid this happening, as it could leave you with an unusable website.

If an attack is subsequently detected, a company has several courses of action to take down the offending site. In France, it can request that AFNIC initially block the site and then delete it if the offence is proven. The process takes between two and seven days depending on the complexity of the case. This is especially true since cases are not always clear-cut. For example, Nicolas Pawlak told the amusing anecdote of “mamie est chaude.fr” domain name. At the time, this set alarm bells ringing, just as “granny is hot.com” would in English. Could it be a pornographic site? In the end, the domain name was linked to the website of a baker in Versailles!

The registrar through which you registered the domain name may also be a useful ally when taking steps to deal with a proven attack. You could also approach the hosting provider for the suspicious site, although there is no guarantee of quick resolution. Lastly, once the offending or spoofed domain name has been delisted, you can also ask for it to be transferred to you, especially if deemed essential for managing your domain name portfolio.

Issue 4: Committing to consistent naming and proper governance

As important as it is for a company to have meaningful and memorable domain names, it is just as important to have a consistent naming strategy for your domain name portfolio. Jérôme Guihal from the French National Cybersecurity Agency (ANSSI) laments the fact that some companies are rather lax in naming the domain names they then go on to use.

La Poste is a case in point. For its various online services, France’s number one postal service has no problem registering domain names that no longer include “la poste.fr”. This is the case in particular for its Colissimo services, where the domain name is completely different.

In this expert’s view, this is certainly less of a risk in terms of security alone, but it can lead to confusion among users. They could think it was yet another phishing scam or fraudulent site and decide not to click on the genuine notification they received.

Companies must, therefore, put governance in place to manage their domain names. This is essential to guard against losing the use of domain names, prevent them from being pirated or spoofed, or even avoid causing confusion among users. In addition, it is important to choose the right registrar so that you have a reliable partner in all circumstances.