The US government is tightening its rules around the registration of government web domains to stop fraudsters impersonating government sites, it emerged last week.
The Federal government’s General Service Administration (GSA) is responsible for the DotGov program, which handles registration of .gov domains. From tomorrow, 10 March 2020, the organisation will ask people to provide a notarized letter when applying for .gov domains.
A .gov domain is only supposed to be operated by US-based government entities, from federal agencies to local municipalities, meaning that, in the GSA’s words, “it’s official”. If you go to a .gov site you should be able to trust it. For that reason, it has existing authentication measures in place. It requires an authorisation letter on the applying organisation’s official letterhead, with a signature from a person with sufficient authority there. The letter must include administration, billing, and technical contacts. A security contact is “recommended practice”, it says. Applicants must email or fax the authorisation letter to the GSA.
The problem, according to a Brian Krebs report last November, is that the registration process was too lax. A researcher told Krebs that he got a .gov domain by emailing an online form using a letterhead from a small American town’s homepage and impersonating its mayor. He did it with a throwaway Gmail and Google Voice account, and the GSA swallowed it, registering the .gov site for him.
A phony .gov domain is a potential phishing and malware-delivery goldmine for online criminals who might use them to impersonate entities at all three levels of government.
The GSA said:
Effective on March 10, 2020, the DotGov Program will begin requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain.
This is a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain.
This step will help maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official U.S. government organizations.
This isn’t the only step the GSA has taken to tighten its security. In July 2019 it also introduced notification emails for changes made to DNS records for .gov domains to avoid DNS hijacking attacks.
The DOTGOV Online Trust in Government Act of 2019, introduced in October, would transfer management of the whole TLD to the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security.
Latest podcast – special episode
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.