Latest news of the domain name industry

Recent Posts

WordPress founder criticizes NSI’s security

Kevin Murphy, April 13, 2010, Domain Registrars

WordPress founder Matt Mullenweg had a few harsh words for top-five domain registrar Network Solutions today, after a whole bunch of NSI-hosted blogs were hacked over the weekend.

It appears that NSI’s web hosting operation, which includes a one-click WordPress installation service, was failing to adequately secure database passwords on shared servers.

Or, as Mullenweg blogged: “A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files.”

WordPress, by necessity, stores its database passwords as plaintext in a script called wp-config.php, which is supposed to be readable only by the web server.

If the contents of that file are viewable by others, a malicious user could inject whatever content they like into the database – anything from correcting a typo in a blog post to deleting the entire site.

That appears to be what happened here: for some reason, the config files of WordPress blogs hosted at NSI gave read permissions to unauthorized people.

The cracker(s) who noticed this vulnerability chose to inject an HTML IFrame into the URL field of the WordPress database. This meant visitors to affected blogs were bounced to a malware site.

Mullenweg is evidently pissed that some news reports characterized the incident as a WordPress vulnerability, rather than an NSI vulnerability.

NSI appears to have corrected the problem, resetting its users’ database passwords as a precaution. Anybody making database calls in custom PHP, outside of the wp-config.php file, is going to have to go into their code to update their passwords manually.

3 Comments Tagged: , , , , ,

WIPO’s UDRP market share lead narrows

Kevin Murphy, April 13, 2010, Domain Policy

The number of UDRP cases filed with the National Arbitration Forum dipped slightly last year, according to NAF numbers released today.

The organization said it received 1,759 filings last year, compared to 1,770 in 2008. Only 1,333 of the cases were actually heard; the others were dropped or settled.

While that’s a decline for NAF, it’s not quite as steep as the almost 10% drop experienced by rival arbitrator WIPO over the same period.

That said, WIPO is still the primary choice of companies trying to enforce their trademarks in the domain name system, saying last month that it received 2,107 complaints in 2009.

It was also the year of big multi-domain cases for both outfits.

WIPO handed 1,542 domains to Inter-Continental Hotels in a single case, while NAF transferred a relatively modest 1,017 domains to ConsumerInfo.com.

Comment Tagged: , , ,

.xxx jumps on social media bandwagon

Kevin Murphy, April 12, 2010, Domain Registries

ICM Registry, the firm behind the proposed .xxx TLD, has belatedly joined the social media revolution, setting up a Facebook fan page and a Twitter account to expound the benefits of pornographic domain names.

I’d hazard a guess that this is in response to the deluge of negative opinion currently directed at it in ICANN’s public comment forum.

If you can wade through the Christian spam there, you’ll find only a handful of people backing ICM.

Some of these comments come from policy wonks, urging ICANN to show it can be as accountable as it says it is.

Others come from random individuals, suspiciously based in ICM’s home state of Florida.

If this woman, for example, is not British ICM president Stuart Lawley’s green card lawyer, I’ll eat my beanie.

Hat tip: @mneylon

1 Comment Tagged: , ,

Politics at play in DNS CERT debate

Kevin Murphy, April 12, 2010, Domain Policy

ICANN chief Rod Beckstrom may have shot himself in the foot when he claimed at the Nairobi meeting that the domain name system is “under attack” and “could stop at any given point in time”.

Beckstrom wants ICANN to create a new CERT, Computer Emergency Response Team, to coordinate DNS security, but he’s now seeing objections from country-code domain managers, apparently connected to his remarks last month.

Chris Disspain of auDA, Australia’s .au registry, has just filed comments on behalf of the ccNSO council, which he chairs, saying it’s not clear whether there’s any need for a DNS CERT, and that ICANN is moving too fast to create one.

It’s pretty clear from the ccNSO statement that Hot Rod’s fairly blunt remarks at the GAC meeting in Nairobi, which I transcribed in full here, have influenced the ccNSO’s thinking on the matter:

the comments of ICANN’s CEO and President, Rod Beckstrom, to governmental representatives in Nairobi, have the potential to undermine the productive relationships established under ICANN’s multi-stakeholder model, cause damage to the effective relationships that many ccTLD operators have developed with their national administrations and discounted the huge efforts of many in the ICANN and broader security community to ensure the ongoing security and stability of the Internet

Disspain had already strongly written to Beckstrom, during the ICANN meeting, calling his comments “inflammatory” and reiterating some of the points made in the latest ccNSO filing.

Beckstrom’s response to Disspain’s first letter is here. I would characterize it as a defense of his position.

It seems pretty crazy that something as important as the DNS has no official security coordination body but, as Disspain points out, there are already some organizations attempting to tackle the role.

DNS-OARC, for example, was set up to fulfill the functions of a DNS CERT. However, as founder Paul Vixie confessed, it has so far failed to do so. Vixie thinks energies would be better spent fixing DNS-OARC, rather than creating a new body.

ICANN’s comments period on its DNS CERT business case is open for another couple of days. It’s so far attracted only a handful of comments, mostly skeptical, mostly filed by ccTLD operators and mostly suggesting that other organizations could handle the task better.

If Beckstrom’s aim in Nairobi was to reignite the debate and Get Stuff Done by scaring stakeholders into action, he may find he’s been successful.

However, if his aim was to place ICANN at the center of the new security initiative, he may ultimately live to regret his remarks.

Either way, I expect DNS security will eventually improve as a result.

Comment Tagged: , , , , , , , ,

.jobs aiming to become a gTLD by the back door?

Employ Media, the company behind the sponsored TLD .jobs, looks like it’s making a play to become a significantly more open gTLD.

The company has proposed a substantial relaxation of its registration policies, based on what may be a loophole in its ICANN registry contract.

Currently, the .jobs namespace is one of the most restrictive TLDs. Only company names can be registered, and registrants have to be approved HR professionals at those companies.

As you might imagine, it’s been phenomenally unsuccessful from a business point of view, with only about 15,000 domains registered since it went live five years ago.

Employ Media now wants to be able to register “non-companyname” domains, and is to apply to its sponsorship body, the Society for Human Resource Management, for permission.

At least, that’s what it looks like. The documents posted over at policy.jobs are pretty opaque.

Indeed, as ERE.net points out, the “proposed amendment” to its charter reads more like a claim that no amendment is required.

The company appears to be pursuing a business model whereby it could auction off …continue reading

3 Comments Tagged: , , , , , ,