{"id":755,"date":"2009-02-06T21:01:36","date_gmt":"2009-02-07T05:01:36","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=755"},"modified":"2009-02-06T21:03:17","modified_gmt":"2009-02-07T05:03:17","slug":"security-review-tel-domain","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/06\/security-review-tel-domain\/","title":{"rendered":"Security Review: .tel domain"},"content":{"rendered":"<p>According to <a href=\"http:\/\/www.newscientist.com\/article\/dn16525-new-tel-domain-aims-to-be-phonebook-for-the-net.html?DCMP=OTC-rss&amp;nsref=online-news\">New Scientist<\/a>, a UK company called Telnic is introducing a new top-level domain, .tel, with the intention of creating a \u201cphonebook for the internet.\u201d Users will only be able to register contact information, and this information will be accessible directly from DNS servers. In addition, Telnic has made available an API that can be used to extract and process this information. While this might make social networking as well as getting in contact with people easier than ever, it poses the possibility of some serious security risks.<\/p>\n<p><!--more--><\/p>\n<p>Assets\/Security Goals:<\/p>\n<ul>\n<li>An <a href=\"http:\/\/emma.tel\/\">example .tel page<\/a> shows the large amount of information that users are expected to post about themselves on their .tel sites. With so much information made available about someone, the risk of identity theft increases. Users should be protected from having their identities stolen as a result of their underestimating the danger of making so many personal details public.<\/li>\n<li>Users should be protected from phishing and other scams.<\/li>\n<li>Users should also be protected from being impersonated on a .tel page by someone else.<\/li>\n<\/ul>\n<p>Possible Adversaries\/Threats<\/p>\n<ul>\n<li>Identity thieves are probably the most important adversary. The large amount of information that people might post about themselves can make impersonations of those people more persuasive.<\/li>\n<li>As .tel expands and gains legitimacy, having a .tel site with one&#8217;s name and contact information may become increasingly important and desirable. This creates a range of vulnerabilities. On the more benign side, someone could be made unable to register their name because someone with the same name has already done so. A moderate threat might be that someone could register someone else&#8217;s name on purpose, and then only sell it for exorbitant quantities (this would not be unique to .tel). Someone with a lot of financial resources could bet that .tel will become widely enough used that it would be worth it to invest in a large number of common names and use them in this way. Finally, on the serious side of the spectrum, an attacker could pose as someone else on .tel, either by using their name (if they haven&#8217;t used it yet), or by using an almost indistinguishable name. The attacker could then post some of their own contact information, which might trick others into providing them with sensitive information about the person.<\/li>\n<\/ul>\n<p>Possible Weaknesses<\/p>\n<ul>\n<li>Even if credit card numbers are not exposed, enough information could be made public that impersonations involving some amount of social engineering could be made very easy, as identity thieves are able to perform more persuasive impersonations.<\/li>\n<li>The volume and uniformity implied by such a purpose-made online phonebook&#8211;especially given the tools it provides for specific application programming&#8211;would make it easy to sift through it quickly for what weaknesses might exist. An attacker could search specifically for profiles that contain an unsafe amount of information about someone.<\/li>\n<li>This kind of technology is prone to a lot of abuse in the form of creating bogus pages that impersonate other people or organizations, or else simply lead to phishing scams.<\/li>\n<\/ul>\n<p>Possible Defenses<\/p>\n<ul>\n<li>Telnic will have to work to inform its users about the kind and amount of information that it is safe to publish.<\/li>\n<li>Before using the API, developers could be required to undergo some kind of evaluation. I&#8217;m not sure how the API itself could be modified to be less dangerous, given that its goals include extracting and processing large amounts of information.<\/li>\n<li>More authentication could also be required of users. For example, <a href=\"http:\/\/www.couchsurfing.com\/\">couchsurfing.com<\/a> requires users to verify a bank account and lock their account to a particular address. This makes it much harder to have multiple and bogus profiles.<\/li>\n<li>Telnic could also provide a service for allowing someone to claim a URL that someone else registered in their name. For example, the person could fax them their birth certificate, social security number, bank account numbers, driver&#8217;s license, and car keys.<\/li>\n<\/ul>\n<p>Some of the risks involved in a technology like the .tel domain are very serious, but they also require some amount of carelessness by users. If the &#8220;phonebook of the internet&#8221; lives up to its nickname and becomes widely used, it is possible that knowledge about how to use it without compromising one&#8217;s security will also become more common.<\/p>\n<p>Further, the potential for the kinds of risks that I mentioned is limited. Once .tel becomes well-established, the more exploits that occur, the more resources and effort will be put into preventing future exploits (whether on the part of the users or the developers). On the other hand, if too many compromises occur before .tel gets popular, these may cause it to simply flop, also acting as a safety mechanism. The maximum danger is in the middle, where .tel is neither too small to be a high-stakes target, nor does it have the user base and resources to stay secure.<\/p>\n<p>Finally, given all of these considerations and the limits they would put on the usefulness of such a technology, I have to ask whether having another&#8211;albeit more streamlined than ever&#8211;phonebook of the internet is really worth the risk it entails.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>According to New Scientist, a UK company called Telnic is introducing a new top-level domain, .tel, with the intention of creating a \u201cphonebook for the internet.\u201d Users will only be able to register contact information, and this information will be &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/06\/security-review-tel-domain\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":92,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,9,5],"tags":[],"class_list":["post-755","post","type-post","status-publish","format-standard","hentry","category-current-events","category-privacy","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/755","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/92"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=755"}],"version-history":[{"count":6,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/755\/revisions"}],"predecessor-version":[{"id":785,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/755\/revisions\/785"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=755"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=755"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}