Nominet, which handles the registry of .uk Internet domains, is no stranger to controversy and some of their decisions over the years have caused plenty of head scratching. The latest bit of fun seems to be as a result of their new .uk rules, which have allowed typos for UK sites (e.g. bbc.c.uk, google.c.uk and hsbc.c.uk) to go to a different server (you can do it for almost any .uk or .co.uk domain).
At one point or another most of us will have miss-typed a domain name and in the past this was used by hackers and phishers to trick people into visiting fake versions of legitimate websites and brands. For example, it’s perilously easy to type google.c.uk instead of google.co.uk, the difference is that the .co.uk will take you to the real website while c.uk takes you to a completely separate site that could be exploited.
On top of that the text-prediction used by most web browsers can mean that once miss-typed you are highly likely to land upon the same fake site a second time when trying to type it again because the browser corrects your address to the previously typed one, which by now we’re all automatically attuned to accept (I’ve done it a few times by accident while testing for this article).
The situation appears to stem from the November 2013 introduction of Nominet’s new .uk namespace (here) and its associated rules (here), which is perhaps a risky approach to take when the potential collision space is so large (i.e. the owner of c.co.uk got c.uk by default = mass website redirection fun). But far from making .uk domains more secure it appears as if Nominet’s current approach could risk opening a door to scammers.
The introduction of the new .uk name (i.e. being able to register examplz.uk rather than just examplz.co.uk) was highly controversial and occurred against a background of strong opposition, with some viewing it as a victory of profit over sense. Never the less it happened and one of the consequences seems to be that Nominet has effectively allowed someone to register c.uk and thus redirect innocent typos into its clutches. ISPreview.co.uk has contacted Nominet for comment.
As some readers have pointed out claims.co.uk, a law firm for personal injury claims, owns the c.co.uk domain and under the .UK rules this meant they automatically got .c.uk without any checks. It’s unclear why claims.co.uk is allowing the domain to be used in such a way, although it’s possible they aren’t aware.
The registrar for the .c.uk domain itself goes back to the Dark Group Ltd t/a YSH (http://www.ysh.uk), which is the same organisation behind broadband ISP Fast.co.uk. ISPreview.co.uk has shot off a message to Fast.co.uk’s Mark Baker in the hopes of getting more information. In the meantime.. still no reaction from Nominet.
UK Limited Company, (Company number: 6843986)
6 Slington House
Registrant contact details validated by Nominet on 30-Oct-2013
Dark Group Ltd t/a YSH [Tag = YSH]
Registered on: 10-Jun-2014
Expiry date: 10-Jun-2024
Last updated: 17-Jun-2014
Registered until expiry date.
Fast.co.uk’s Mark Baker has informed ISPreview.co.uk that one of their customers changed the name servers for the offending domain to those of a “parking company who appear to have enabled wildcard DNS, hence anything.c.uk resolves” (i.e. it doesn’t appear to be specifically targeting popular brands and sites – it just hits everything the same). Baker noted that he couldn’t be “sure if that behaviour is intentional on our clients part“. Meanwhile the problem persists. Oh c.uk.
We had hoped that Nominet might wish to take this more seriously..
A Spokesperson for Nominet told ISPreview.co.uk:
“Use of a domain name for unlawful purposes, or in a way that infringes the intellectual property rights of third parties is contrary to the terms and conditions of domain name registration, to which all registrants must agree. If any use of a .uk domain name comes to our attention that appears to be in breach of those terms, we would cooperate with law enforcement agencies in order to take any appropriate steps, and would reserve the right to take any action open to us under the registration contract.
In the case of the domain name c.uk it would appear that the registrant is redirecting all c.uk sub domains to www.c.uk, not targeting or imitating any specific websites. We have no indication that www.c.uk is being used for any unlawful purpose.”