Cenzic 232 Patent
Paid Advertising
web application security lab

Com.Com is Up For Sale

Mubix sent me a link today to the fact that Com.com is for sale. So what, right? Yet another domain that needs a home. But com.com is incredibly important for security. In fact, one of C|NET’s (the company that currently runs com.com) network admins was listed as the 10th most dangerous and least likely person on the Internet during my presentation at OWASP. Why? Because of typo traffic. A friend of mine used to run csuchico.com instead of csuchico.edu and used to get tons of sensitive information about the local college, including building plans, love letters, medical information, bills, and on and on… And that was just one .edu domain. Now imagine the typo traffic for all of .com!

I’m not just talking about email, but think about all the DNS errors, and the referring URLs and the places that you could XSS just because of sloppy coding? It’s a recon dream come true, and it’s almost entirely passive! I tried to register xn--g6w251d.com at one point (a typo of the simplified Chinese IDN TLD). Most people don’t realize that xn--g6w251d (測試) is a TLD and there are a bunch of others like it. So owning xn--g6w251d.com would allow me to get tons of typo traffic, but ICANN in their infinite wisdom decided you’re not allowed to own things like xn--g6w251d.com anymore because it’s too dangerous. Yet com.com still exists and it’s up for grabs! I’m sure it’s monetarily well out of reach for the average bad guy, but there may be a lot more than average bad guys who are interested in owning this one.

15 Responses to “Com.Com is Up For Sale”

  1. Meh Says:

    I want that. I would have no clue what exactly to do with it, but i want it.

  2. dave Says:

    you rickroll people of course :P

  3. Meh Says:

    Good idea!

    How much does the domain cost?

  4. Angel one Says:

    I once had a fax number that was 1 digit off of the fax number for a local investment bank. (I had a 6 instead of an 8 in my number). I regularly got TONS of sensitive information - requests for IRA changes, rollovers, copies of checks, fund transfers, bank account transfers, etc. Each time I got another one I laughed at how much damage I could have done if I were unscrupulous and them promptly contacted the sender and informed them of their mistake. I can only imagine the endless possibilities with com.com.

    On another note though, it doesn’t look like it’s actually for sale. That’s just a domain brokerage service - they will _try_ to negotiate a sale for you of any domain you want. It doesn’t mean cnet is actually selling. A quick google search (and cnet search) doesn’t turn up anything else, so I don’t think they’re selling.

  5. Michael Hampton Says:

    Indeed; it’s unlikely that com.com is for sale, since that site shows the same page for any domain you type in. I’m fairly sure this one isn’t for sale, for instance.

  6. RSnake Says:

    Are you kidding me! ckers.org has been for sale since they day I bought it. It’s just about the price. ;)

  7. Wornstrom Says:

    Well maybe you’d like to buy microsoft.com?

  8. CV Says:

    Great names the price should be close to millions

  9. Chris Weber Says:

    Well you could have fun with the new fast-track IDN ccTLD’s, and apply to get your own - it’s only $26,000, chump change for you!

    Russia’s applying for .рф

    Tunisia’s applying for .تونس

    China’s applying for .中国

    List goes on, expecting up to 500 new TLD’s in the next few years.

  10. RSnake Says:

    @Chris - I bet .con and .co would be useful. ;)

  11. demo Says:

    I reckon whoever intends on purchasing it is gunna be plastering the page in ads and hoping for alot of clicks. Sure if it’s a common typo, alot of ad views are gunna rake in.

  12. h3xstream Says:

    http://www.com is a good one too :D

  13. anonymous Says:

    com.com can also be used for bypassing weak “whitelist” filters with clever subdomains such as subdomain.domain.tld.com.com

  14. ramon Says:

    i got the chinese one .tk :)

  15. Thomas Says:

    Great Names, but domain business is lagging in these harsh days. :-)

    one .tk :) is fine as well.