### Rating (1--4): + 3: Weak Accept -- This paper may have flaws, but I would not argue against it at a major conference ### What did this paper do well? + Demonstrated great impacts (found 52.8M domains being targeted by bitsquatters, 1.28M domains at risk of DOS, etc) + Very easy to understand + Presenting a method to measure vulnerable DNS cases with ethical considerations, provided several interesting insights into the malicious bahaviors. ### Where did this paper fall short? + The number of really dangerous rouge IP address responses is very low (about 50 pages over 1800 rouge responses) + The proposed Whois email attacks doesn't work with service providers that follow good protocols such as webmaster privacy protection (not revealing true emails of webmasters, hold and verify domain transfers via email, etc) ### What did you learn from reading this paper? + A million domains are "dependent on 8-year-old vulnerable BIND versions" !!! + Adversaries may still able to obtain a certificate for a website and use it for years due to weak ID verifications from certificate providers + We need to really watch out for typo mistakes made by admins + Mistakes by third parties may lead to your domains (and the sub-domains) being compromised + "There is value to proactive typo registrations" + Typosquatting mistakes can be caused by either humans or hardware (in the case of hardware, it's also called "bitsquatting" ) ### What questions do you have about the paper or the area? + Most domain service providers do not make immediate changes (initiated by the domain admins) but rather hold the changes (especially the big ones like changing MS, A records) and send email confirmations. With those measures in practice, will typo mistakes (leading to typosquatting domains) will be reduced? + From the user perspective, is the habit of typing domain names in search engine's box and click on verified search results will help defending against typo- and bit- squatting traps ?
Image credit: R1soft
