Mubix sent me a link today to the fact that Com.com is for sale. So what, right? Yet another domain that needs a home. But com.com is incredibly important for security. In fact, one of C|NET’s (the company that currently runs com.com) network admins was listed as the 10th most dangerous and least likely person on the Internet during my presentation at OWASP. Why? Because of typo traffic. A friend of mine used to run csuchico.com instead of csuchico.edu and used to get tons of sensitive information about the local college, including building plans, love letters, medical information, bills, and on and on… And that was just one .edu domain. Now imagine the typo traffic for all of .com!
I’m not just talking about email, but think about all the DNS errors, and the referring URLs and the places that you could XSS just because of sloppy coding? It’s a recon dream come true, and it’s almost entirely passive! I tried to register xn--g6w251d.com at one point (a typo of the simplified Chinese IDN TLD). Most people don’t realize that xn--g6w251d (測試) is a TLD and there are a bunch of others like it. So owning xn--g6w251d.com would allow me to get tons of typo traffic, but ICANN in their infinite wisdom decided you’re not allowed to own things like xn--g6w251d.com anymore because it’s too dangerous. Yet com.com still exists and it’s up for grabs! I’m sure it’s monetarily well out of reach for the average bad guy, but there may be a lot more than average bad guys who are interested in owning this one.