Latest news of the domain name industry

Recent Posts

ICANN shuts down new gTLD portal after finding more security bugs

Kevin Murphy, July 19, 2012, 05:32:13 (UTC), Domain Tech

ICANN has closed down part of its new generic top-level domain portal after finding “potential vulnerabilities” that put “confidential applicant information” at risk.

The shutdown — which has been going on for at least 30 hours — affects the Customer Service and Knowledge Base parts of the site, but ICANN said it is so far not aware of any attacks against the system.

While it’s waiting for a patch, ICANN has decided to move the affected areas behind the unpopular Citrix remote terminal software used previously in the TLD Application System.

This notice was posted on the site:

ICANN performs ongoing monitoring and analysis of our systems, including the Customer Service system. As part of this work, we recently identified potential vulnerabilities in the system used for Customer Service and the Knowledge Base (containing new gTLD articles and information).

Patches are being provided to ICANN to address these issues.

In the mean time, given that use of the Customer Service system was recently expanded, and now includes confidential applicant information, the decision was taken to move the system behind Citrix. This will provide for additional security for applicant information.

We are now testing the installation. This should be completed in the next few days. This decision is a proactive measure. There have been no known compromises to the data, attacks or other actions by third parties (other than our own analysis).

Off the top of my head — and I may be under-counting — this is the fifth significant technical glitch to hit the new gTLD program since April.

There was the notorious TAS bug, which took the system offline entirely for six weeks while ICANN fixed a data leakage vulnerability and upgraded its system capacity.

There was the Reveal Day screw-up, during which Arab community members noticed that all the applied-for Arabic gTLDs were broadcast back-to-front in a presentation.

Then ICANN accidentally published the home addresses of many applicants’ officers and directors, something it had promised not to do. This was probably human error and it has since apologized.

Then the “digital archery” batching system was yanked, after it emerged that TAS performance still wasn’t up to the task and that the scoring results were unreliable.

Former new gTLD program director Michael Salazar resigned a month ago; it is widely believed that he was taking the fall for the gTLD system bugs to that point.

While the latest bug appears — so far — to have not compromised any data, some applicants have nevertheless been frustrated by the fact that the customer service portal has been offline for over a day.

Tagged: , , ,

Comments (2)

  1. Scott Pinzon says:

    I don’t think it’s fair to characterize the “Reveal Day screw-up” as “significant.” That was merely a display issue in a single presentation; the actual Arabic IDNs in the system were correct. I say this with all deference and respect to Arabic community members.

    IMHO, some government clerk can spell my name wrong in a letter, as long as the government systems have my name entered correctly when I pay my taxes. I don’t view a single cosmetic incident as “significant.”

    I agree that the other problems you listed are substantive.

    • Kevin Murphy says:

      It certainly wasn’t on the scale of the other glitches, technologically speaking, but in terms of adverse PR impact I think it was in the same ball-park, at least in the Arab-speaking world.

Add Your Comment