Application Comment Details

Michael McCormick
Taproot Security
AC Webconnecting Holding B.V.
String Similarity Evaluation Panel
COM cognates pose typo risk
31 May 2017 at 03:18:31 UTC

Thank you for your dedication to the safe and secure Generic Top Level Domain operation.

Taproot Security is a private firm advising clients and policymakers on vital cybersecurity matters.

We are concerned about the potential for abuse of gTLD strings similar to COM by typo squatters and phishers. As the traditional TLD for electronic commerce, .com is the typical target of such attacks. Before the advent of new gTLDs, such attacks were generally confined to second level domains. For example, “” might be used to catch typo traffic intended for “”.

Now the top level domain represents a similar attack vector in cases where the string is close enough to COM. For example, “” to capture traffic intended for “”.

Our general comment is that 3-letter gTLDs strings that differ by one letter from COM (cognates) represent a threat to Internet users who type URLs. There are 75 such 3-letter strings (MOM, CAM, COD, etc.). Ideally, they would be reserved from use by ICANN to prevent abuse, at least those that have not already been allocated. If that is impractical, we ask ICANN to require cognate domain applicants to specify how they plan to address typo attacks and similar misconduct, and this requirement be codified in registry operator agreements.

Our specific comment on CAM is that the current .cam registry operator does not seem cognizant of the risks described here, based on domains it has registered that are identical to their .com counterparts, on behalf of requesters who we verified are not affiliated with the owners of their .com counterparts.

The ICANN registry agreement with AC Webconnecting Holding does not appear to specifically address this issue, so we do not claim there is any violation of policy or breach of agreement. However, we do ask that the registry operator be advised of the special risks associated with CAM as a COM cognate, and that this be addressed in writing when the registry agreement is next renewed or modified.

Thank you for this opportunity to share our perspective on string similarity risk in COM cognates.


Michael McCormick

President, Taproot Security