The US government is tightening its rules around the registration of government web domains to stop fraudsters impersonating government sites, it emerged last week.
The Federal government’s General Service Administration (GSA) is responsible for the DotGov program, which handles registration of .gov domains. From tomorrow, 10 March 2020, the organisation will ask people to provide a notarized letter when applying for .gov domains.
A .gov domain is only supposed to be operated by US-based government entities, from federal agencies to local municipalities, meaning that, in the GSA’s words, “it’s official”. If you go to a .gov site you should be able to trust it. For that reason, it has existing authentication measures in place. It requires an authorisation letter on the applying organisation’s official letterhead, with a signature from a person with sufficient authority there. The letter must include administration, billing, and technical contacts. A security contact is “recommended practice”, it says. Applicants must email or fax the authorisation letter to the GSA.
The problem, according to a Brian Krebs report last November, is that the registration process was too lax. A researcher told Krebs that he got a .gov domain by emailing an online form using a letterhead from a small American town’s homepage and impersonating its mayor. He did it with a throwaway Gmail and Google Voice account, and the GSA swallowed it, registering the .gov site for him.
A phony .gov domain is a potential phishing and malware-delivery goldmine for online criminals who might use them to impersonate entities at all three levels of government.
The GSA said:
Effective on March 10, 2020, the DotGov Program will begin requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain.
This is a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain.
This step will help maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official U.S. government organizations.
This isn’t the only step the GSA has taken to tighten its security. In July 2019 it also introduced notification emails for changes made to DNS records for .gov domains to avoid DNS hijacking attacks.
The DOTGOV Online Trust in Government Act of 2019, introduced in October, would transfer management of the whole TLD to the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security.
Latest podcast – special episode
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
David Pottage
I am a little surprised that any small town can get themselves a .gov domain. I would expect them to be restricted to agencies of the US federal government. Personally I would not trust the website of a small town several states away, as I have no idea if it is competently administered.
It is good that they have closed a loophole to prevent fraudsters from falsely claiming to represent some small town somewhere, but from a cyber security point of view, that does not help much, as the mayor of a small town Nebraska (pop 3,152), can legitimately register a .gov domain, ask his cousin (who “knows computers”) to setup the website, who will then make every cyber security mistake in the book.
Wilbur
Maybe the little town in Nebraska can get the Office of Personnel Management to help them out. They are part of a really big US federal government agency and from all reports they did an outstanding job of protecting the information contained in years worth of security clearance applications.
I suspect if you eliminated mis-configured dot gov sites there would be a lot fewer online – including those from large entities.
Steve
“A .gov domain is only supposed to be operated by US government entities,…”
Just to clarify: that is NOT limited to entities of the United States federal government. Perhaps a better choice of phrase would be “government entities in the United States”.
Wikipedia describes it rather well:
“Use of the domain gov is restricted to government entities. According to GSA guidelines, this includes U.S. governmental departments, programs, and agencies on the federal level; federally recognized tribes, referred to by the GSA as Native Sovereign Nations, which must use the suffix -NSN.gov; State governmental entities and programs; cities and townships represented by an elected body of officials; counties and parishes represented by an elected body of officials; and U.S. territories.”
Larry Marks (in North Carolina, USA)
> “A .gov domain is only supposed to be operated by US government entities, meaning that, in the GSA’s words, “it’s official”.”
This is simply incorrect–or there’s a lot of fraudulent stuff going on. Here in North Carolina, the state (not federal) government uses the .gov TLD. Try these in your browser:
nc.gov
ncdps.gov
sosnc.gov
ncdoj.gov
Or how about these cities/towns/municipalities?
raleighnc.gov
durhamnc.gov
greenvillenc.gov
greensboro-nc.gov
charlottenc.gov
asheboronc.gov
ashevillenc.gov
Not sure if this mistake is the Federal government’s or Naked Security’s, but someone is looking pretty foolish about now.
Paul Ducklin
I think that you can take the term “US government” to mean “a part of the public service, whether federal, state, Native American, county, municipal”, and so on…
Larry Marks
Actually, we don’t. Native US-English speakers would interpret “US government” to strictly mean the federal government.
I can appreciate that a non-native US-English speaker might not appreciate that.
Paul Ducklin
I’ve edited the text to use words along the lines Danny mentions below about “US-based government orgs”.
I take your point about the unadorned phrase “US government” referring to the federal parts of the governmental machinery, not to every municipality and all the states and territories.
I guess I wouldn’t use words such as “the UK government decided that X, Y and Z” if I were referring to the Welsh Assembly or to the Oxfordshire County Council.
Danny Bradbury
From the GSA web site: “The DotGov Program, part of the General Services Administration, operates the .gov top-level domain (TLD) and makes it available to US-based government organizations, from federal agencies to local municipalities. Using a .gov domain shows you’re an official government organization.”