US government adds stricter requirements for .gov domain registration
The U.S. government will begin requiring notarized signatures as part of the registration process for .gov domains beginning March 10, 2020, to prevent wire and mail fraud that could lead to these domains being registered by unauthorized organizations or individuals.
The United States General Services Administration (GSA) oversees the DotGov program which operates the .GOV top-level domain (TLD) and makes these domains available to US-based government organizations, from local municipalities to federal agencies.
Security hardening for .gov domain registration
“As of March 10, 2020, the DotGov program will begin requiring notarized signatures on all authorization letters when submitting an application for a new .gov domain,” the DotGov Registrar said.
“This is a security enhancement needed to prevent mail and wire fraud via signature forgery when obtaining a .gov domain.
“This step will help maintain the integrity of .gov and ensure that .gov domains continue to be assigned only to official U.S. government organizations.”
To apply for a .gov domain name, government organizations must prepare and submit an authorization letter and complete an online form after receiving a .gov registration account.
This letter must use official letterhead and must include a signature from the applicant organization’s authorizing authority on the DotGov program site Explain.
This is the letter that will need to be accompanied by a notarized signature starting March 10, 2020, to prevent future attempts to register .gov domains without permission.
Anyone can register a .gov domain
The GSA asserts that .gov domains are exclusively granted to US government organizations and lend legitimacy to government websites and online tools, ensuring customer confidence that content is from an official source.
However, as a freelance investigative journalist Brian Krebs previously reported, until the new rules are enacted, almost anyone can register a .gov domain using false information on the authorization letter required by the GSA, albeit illegally and with the risk of being charged with wire or mail fraud if caught.
A researcher confirmed this was possible by saying he was able to register a .gov in November 2019 using a fake Google Voice number and Gmail address, as well as an official letterhead taken from documents from a government organization. legitimate.
“I never said it was legal, just that it was easy,” the researcher said. “I assumed there would be at least some ID verification. The most thorough search I had to do was the Yellow Pages records.”
When contacted, the GSA said it “already has additional fraud prevention controls in place,” without detailing what steps it has taken to prevent future attempts to fraudulently register .gov.
The Cybersecurity and Infrastructure Security Agency (CISA) has shared its intent to take over management of the GSA’s .gov TLD since “the .gov top-level domain (TLD) is critical infrastructure for thousands of federal government organizations. , state and local across the country.”
A bipartisan bill known as the “DOTGOV Act of 2019and sponsored by U.S. Senator Gary Peters was introduced in the Senate on October 30, 2019, seeking, among other things, to give CISA authority to manage the .gov TLD after assuming governance of the GSA.