Latest news of the domain name industry

Recent Posts

GoDaddy flips hosting business for $456 million

GoDaddy has sold off its recently acquired PlusServer business for €397 million ($456 million).

The buyer is a private equity firm, BC Partners.

The registrar had taken control of the business when it spent $1.79 billion on Host Europe Group earlier this year, but had said from the start that the asset was for sale.

PlusServer sells hosting to larger companies, which have more demanding support needs that small-business-focused GoDaddy is accustomed to dealing with.

The unit was bringing in annual revenue approaching $100 million per year.

GoDaddy said it planned to put the proceeds of the flip towards paying off some loans.

Over 750 domains hijacked in attack on Gandi

Gandi saw 751 domains belonging to its customers hijacked and redirected to malware delivery sites, the French registrar reported earlier this month.

The attack saw the perpetrators obtain Gandi’s password for a gateway provider, which it did not name, that acts as an intermediary to 34 ccTLD registries including .ch, .se and .es.

The registrar suspects that the password was obtained by the attacker exploiting the fact that the gateway provider does not enforce HTTPS on its login pages.

During the incident, the name servers for up up to 751 domains were altered such that they directed visitors to sites designed to compromise unpatched computers.

The redirects started at 0804 UTC July 7, and while Gandi’s geeks had reversed the changes by 1615 it was several more hours before the changes propagated throughout the DNS for all affected domains.

About the theft of its password, Gandi wrote:

These credentials were likewise not obtained by a breach of our systems and we strongly suspect they were obtained from an insecure connection to our technical partner’s web portal (the web platform in question allows access via http).

It’s not clear why a phishing attack, which would seem the more obvious way to obtain a password, was ruled out.

Gandi posted a detailed timeline here, while Swiss registry Switch also posted an incident report from its perspective here. An effected customer, which just happened to be a security researcher, posted his account here.

Gandi says it manages over 2.1 million domains across 730 TLDs.

ICANN expects to lose 750 registrars in the next year

ICANN is predicting that about 750 accredited registrars will close over the next 12 months due to the over-saturation of the drop-catching market.

ICANN VP Cyrus Namazi made the estimate while explaining ICANN’s fiscal 2018 budget, which is where the projection originated, at the organization’s public meeting in South Africa last week.

He said that ICANN ended its fiscal 2017 last week with 2,989 accredited registrars, but that ICANN expects to lose about 250 per quarter starting from October until this time next year.

These almost 3,000 registrars belong to about 400 registrar families, he said.

By my estimate, roughly two thirds of the registrars are shell accreditations under the ownership of just three companies — Web.com (Namejet and SnapNames), Pheenix, and TurnCommerce (DropCatch.com).

These companies lay out millions of dollars on accreditation fees in order to game ICANN rules and get more connections to registries — mainly Verisign’s .com.

More connections gives them a greater chance of quickly registering potentially valuable domains milliseconds after they are deleted. Drop-catching, in other words.

But Namazi indicated that ICANN’s cautious “best estimate” is that there’s not enough good stuff dropping to justify the number of accreditations these three companies own.

“With the model we have, I believe at the moment the total available market for these sought-after domains that these multifamily registrars are after is not able to withstand the thousands of accreditations that are there,” he said. “Each accreditation costs quite a bit of money.”

Having a registrar accreditation costs $4,000 a year, not including ICANN’s variable and transaction fees.

“We think the market has probably gone beyond what the available market is,” he said.

He cautioned that the situation was “fluid” and that ICANN was keeping an eye on it because these accreditations fees have become material to its budget in the last few years.

If the three drop-catchers do start dumping registrars, it would reveal an extremely short shelf life for their accreditations.

Pheenix upped its registrar count by 300 and DropCatch added 500 to its already huge stable as recently as December 2016.

GoDaddy launches security service after Sucuri acquisition

GoDaddy has revealed the first fruits of its March acquisition of web security service provider Sucuri.

It’s GoDaddy Website Security, what appears to be a budget version of the services Sucuri already offers on a standalone basis.

For $6.99 per month ($83.88/year), the service monitors your web site for malware and removes it upon request. It also keeps tabs on major blacklists to make sure you’re not being blocked by Google, Norton or McAfee.

This low-end offering gets you a 12-hour response time for the cleanup component. You can up that to 30 minutes by taking out the $299.99 per year plan.

The more expensive plan also includes DDoS protection, a malware firewall and integration with a content delivery network for performance.

There’s also an intermediate, $19.99-per-month ($239.88/year) plan that includes the extra features but keeps the response time at 12 hours.

An SSL certificate is included in the two more-expensive packages.

The pricing and feature set looks to compare reasonably well with Sucuri’s standalone products, which start at $16.66 a month and offer response times as fast as four hours.

As somebody who has suffered from three major security problems on GoDaddy over the last decade or so, and found GoDaddy’s response abysmal on all three occasions (despite my generally positive views of its customer service), the new service is a somewhat tempting proposition.

Zero registrars pass ICANN audit

Some of the biggest names in the registrar game were among a bewildering 100% that failed an ICANN first-pass audit in the latest round of random compliance checks.

Of the 55 registrars picked to participate in the audit, a resounding 0 passed the initial audit, according to data released today.

Among them were recognizable names including Tucows, Register.com, 1&1, Google and Xin Net.

ICANN found 86% of the registrars had three or more “deficiencies” in their compliance with the 2013 Registrar Accreditation Agreement.

By far the most problematic area was compliance with sections 3.7.7.1 to 3.7.7.12 of the RAA, which specifies what terms registrars must put in their registration agreements and how they verify the contact details of their customers.

A full three quarters of audited registrars failed on that count, according to ICANN’s report (pdf).

More than half of tested registrars failed to live up to their commitments to respond to reports of abuse, where they’re obliged among other things to have a 24/7 contact number available.

There was one breach notice to a registrar as a result of the audit, but none of the failures were serious enough for ICANN to terminate the deficient registrar’s contract. Two registrars self-terminated during the process.

ICANN’s audit program is ongoing and operates in rounds.

In the current round, registrars were selected from those which either hadn’t had an audit in a couple of years, were found lacking in previous rounds, or had veered dangerously close to formal breach notices.

The round kicked off last September with requests for documents. The initial audit, which all registrars failed, was followed by a remediation phase from January to May.

Over the remediation phase, only one third of the registrars successfully resolved all the issues highlight by the audit. The remainder issued remediation plans and will be followed up on in future rounds.

The 0% pass rate is not unprecedented. It’s the same as the immediately prior audit (pdf), which ran from May to October 2016.