Who’s Ultimately in Control of Your Brand: The Supply Chain of Internet Identifiers and the importance of Namespace Security

Introduction

In today’s interconnected world, domain names serve as more than just digital addresses for organisations. They are integral to a multitude of operations, ranging from delivering services, authentication of an organisation and conducting sales to maintaining vital communication with stakeholders. Given this heightened reliance, gaining a thorough understanding of the supply chain behind these Internet Identities and making sure your Namespace Security is in order has shifted from good practice, to an absolute necessity.

NodeZro regularly comes across corporations utilising domain names in their core infrastructure or for services without a full understanding of the digital supply chains they depend on.

These supply chains usually have an unappreciated degree of control over the brand’s Digital Identifiers. Security strategies rarely take these core assets into account and most brands are unaware of the significant risks such misalignment can pose.

Control and Redirection Risks

It’s imperative for organisations to understand that ultimate control over their domain names, especially those ending in country-specific extensions (ccTLDs), usually lies with the domain’s Registry Operator and the Country the ccTLD represents.

These entities have the technical capability to intercept and redirect, delete, or transfer control of a domain and the traffic it supports to another third party. Similarly, Registrars and DNS providers often have the technical ability to reroute an organisation’s traffic by altering its domain settings.

Organisations need to understand that traffic intercepts based on the DNS can often be implemented to target only specific users or organisations, and it’s possible that the ‘owner’ of the domain name may never notice these modifications.

Understanding the layers of control is vital for evaluating whether they align with your organisation’s security requirements.

Jurisdictional Compatibility

For those dealing with sensitive information, jurisdiction of corporate domains becomes crucial. Brands need to choose between using a country-specific domain (ccTLD) like .uk that aligns with its operational jurisdictions, or a generic domain (gTLD) like .com governed globally by the Internet Corporation for Assigned Names and Numbers (ICANN) a California nonprofit public benefit corporation.

It’s important to realise that country-code Top-Level Domains (ccTLDs) are typically tied to a specific nation and are usually governed by that country’s laws and regulations. However, the marketing of some ccTLDs can create confusion. For instance, .uk clearly pertains to the United Kingdom, but other ccTLDs like .co (Colombia), .io (British Indian Ocean Territory), .tv (Tuvalu) and .me (Montenegro) are often promoted as if they are internationally applicable. Despite this global positioning, these domains may remain subject to the laws of the nation they represent. As such, organisations need to carefully assess the potential risks and legal considerations tied to using such domains.

Operating under these TLDs and within the legal frameworks of various countries may well align with an organisation’s objectives. However, such a choice should be made only after conducting a thorough evaluation of the associated risks and exposures. The significance of this assessment cannot be emphasised enough; it equips organisations with the insights needed to establish a secure and stable online presence for both themselves and their stakeholders.

Being well-informed about the intricate details of ccTLD jurisdictional alignments can prove invaluable in establishing a stable and secure online presence. You can learn more about who is in ultimate control of your Digital Identifiers by visiting the Internet Assigned Numbers Authority (IANA) Root Zone Database(1) which represents the delegation details and organisations relevant to the Top-Level Domains (TLDs) you depend on.

The Widespread Use of URL Shorteners Ultimately Controlled by Libya

A case in point is the widespread use of URL shorteners that fall under ccTLDs, where users might not fully grasp who ultimately controls the identifier. For instance, popular services like bit.ly and ow.ly operate under Libya’s country code top-level domain (.ly). These identifiers are ultimately overseen by Libyan authorities and are managed by the General Post and Telecommunication Company based in Tripoli, Libya.(1)

Both public and private sector entities that use URL shorteners for official information dissemination should be acutely aware of the inherent risks. An organisation might deem using these services as acceptable, but it’s crucial to make well-informed decisions about the suitability of such practices based on the specific circumstances they face. The governing body and operator of the .ly domain, for example, have the technical ability to modify the DNS for these services and ultimately redirect traffic. Examples of use include:

Example 1:

Example 2:

Conclusion

Gaining a thorough understanding of your organisation’s Identifier supply chain is non-negotiable for ensuring stakeholder security. A misalignment between corporate digital identifiers and security objectives can introduce vulnerabilities and risks, affecting not just online operations, but also stakeholder trust, confidence and brand reputation.

Sources:

1. Internet Assigned Numbers Authority (IANA) Root Zone Database: https://www.iana.org/domains/root/db
2. Internal Revenue Service (IRS) List of Twitter accounts: https://www.irs.gov/newsroom/follow-the-irs-on-twitter
3. Department for Work and Pensions (DWP) Twitter Accounts: https://www.gov.uk/government/publications/dwp-registered-twitter-accounts/dwp-official-twitter-accounts
4. Namespace Security: https://namespacesecurity.com/