Latest news of the domain name industry

Recent Posts

KPMG dumps .com for dot-brand gTLD

Kevin Murphy, April 12, 2019, Domain Registries

KPMG has become the latest company to dump its .com domain in favor of its dot-brand gTLD.

The company recently announced that it is now using home.kpmg as its primary web site domain, replacing kpmg.com.

The migration appears to be complete already. URLs on the old .com address now bounce users to the equivalent page on .kpmg. Web searches for KPMG return the .kpmg domain as the top hit.

KPMG said in a press release:

The move enhances the KPMG brand through a strong, simplified name, and provides end users with a level of assurance that any site that ends with .kpmg is owned and operated by KPMG.

Since the top level domain can only be used by KPMG, visitors to sites that use the new top level domain can easily confirm its authenticity and be assured that the information they contain is reliable and secure.

The company said that it is the first of the “Big Four” professional services firms to make the switch.

This is technically correct. Rival Deloitte uses several .deloitte domains, but it has not bit the bullet and migrated from its .com.

Of the other two, Ernst & Young does not have a dot-brand, and PricewaterhouseCoopers does not use its .pwc extension beyond a single experimental domain that redirects to pwc.com.

KPMG had revenue just shy of $29 billion last year and is one of the most recognizable brands in the corporate world.

.com outsells new gTLDs by 2:1 in 2018

The number of registered .com domains increased by more than double the growth of all new gTLDs last year, according to figures from Verisign.

The latest Domain Name Industry Brief reports that .com grew by 7.1 million names in 2018, while new gTLDs grew by 3.2 million names.

.com ended the year with 139 million registered names, while the whole new gTLD industry finished with 23.8 million.

It wasn’t all good news for Verisign, however. Its .net gTLD shrunk by 500,000 names over the period, likely due to the ongoing impact of the new gTLD program.

New gTLDs now account for 6.8% of all registered domains, compared to 6.2% at the end of 2017, Verisign’s numbers state.

Country codes fared better than .com in terms of raw regs, growing by 8.2 million domains to finish 2018 with 154.3 million names.

But that’s including .tk, the free ccTLD where dropping or abusive domains are reclaimed and parked by the registry and never expire.

Excluding .tk, ccTLDs were up by 6.6 million names in the year. Verisign estimates .tk as having a modest 21.5 million names.

The latest DNIB, and quarterly archives, can be downloaded from here.

Verisign gets approval to sell O.com for $7.85

ICANN is to grant Verisign the right to sell a single-character .com domain name for the first time in over 25 years.

The organization’s board of directors is due to vote next Thursday to approve a complex proposal that would see Verisign auction off o.com, with almost all of the proceeds going to good causes.

“Approval of Amendment to Implement the Registry Service Request from Verisign to Authorize the Release for Registration of the Single-Character, Second-Level Domain, O.COM” is on the consent agenda for the board’s meeting at the conclusion of ICANN 64, which begins Saturday in Kobe, Japan.

Consent agenda placement means that there will likely be no further discussion — and no public discussion — before the board votes to approve the deal.

Verisign plans to auction the domain to the highest bidder, and then charge premium renewal fees that would essentially double the purchase price over a period of 25 years.

But the registry, already under scrutiny over its money-printing .com machine, would be banned from profiting from the sale.

Instead, Verisign would only receive its base registry fee — currently $7.85 per year — with the rest being held by an independent third party that would distribute the funds to worthy non-profit causes.

ICANN had referred the Verisign proposal, first put forward in December 2016, to the US government, and the Department of Justice gave it the nod in December 2017.

There was also a public comment period last May.

The request almost certainly came about due to Overstock.com’s incessant lobbying. The retailer has been obsessed with obtaining o.com for well over a decade, but was hamstrung by the legacy policy, enshrined in the .com registry agreement, that forbids the sale of single-character domains.

Whoever else wants to buy o.com, they’ll be bidding against Overstock, which has a trademark.

It’s quite possible nobody else will bid.

When Overstock briefly rebranded as O.co several years ago — it paid $350,000 for that domain — it said it saw 61% of its traffic going to o.com instead.

All single-character .com names that had not already been registered were reserved by IANA for technical reasons in 1993, well before ICANN took over DNS policy.

Today, only q.com, z.com and x.com are registered. Billionaire Elon Musk, who used x.com to launch PayPal, reacquired that domain for an undisclosed sum in 2017. GMO Internet bought z.com for $6.8 million in 2014.

With the sale of o.com now a near certainty, it is perhaps only a matter of time before more single-character .com names are also released.

No gTLD approved after 2012 has a restriction on single-character domains.

As a matter of disclosure: several years ago I briefly provided some consulting/writing services to a third party in support of the Verisign and Overstock positions on the release of single-character domain names, but I have no current financial interest in the matter.

Phishing still on the decline, despite Whois privacy

Kevin Murphy, March 5, 2019, Domain Policy

The number of detected phishing attacks almost halved last year, despite the fact that new Whois privacy rules have made it cheaper for attackers to hide their identities.

There were 138,328 attacks in the fourth quarter of 2018, according to the Anti-Phishing Working Group, down from 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1.

That’s a huge decline from the start of the year, which does not seem to have been slowed up by the introduction in May of the General Data Protection Regulation and ICANN’s Temp Spec, which together force the redaction of most personal data from public Whois records.

The findings could be used by privacy advocates to demonstrate that Whois redaction has not lead to an increase in cybercrime, as their opponents had predicted.

But the data may be slightly misleading.

APWG notes that it can only count the attacks it can find, and that phishers are becoming increasingly sophisticated in how they attempt to avoid detection. The group said in a press release:

There is growing concern that the decline may be due to under-detection. The detection and documentation of some phishing URLs has been complicated by phishers obfuscating phishing URLs with techniques such as Web-spider deflection schemes – and by employing multiple redirects in spam-based phishing campaigns, which take users (and automated detectors) from an email lure through multiple URLs on multiple domains before depositing the potential victim at the actual phishing site.

It also speculates that criminals once involved in phishing may have moved on to “more specialized and lucrative forms of e-crime”.

The Q4 report (pdf) also breaks down phishing attacks by TLD, though comparisons here are difficult because APWG doesn’t always release this data.

The group found .com to still have the most phishing domains — 2,098 of the 4,485 unique domains used in attacks, or about 47%. According to Verisign’s own data, .com only has 40% market share of total registered domains.

But new, 2012-round gTLDs had phishing levels below their market share — 4.95% of phishing on a 6.83% share. This is actually up compared to the 3% recorded by APWG in Q3 2017, the most recent available data I could find.

Only two of the top 20 most-abused TLDs were new gTLDs — .xyz and .online, which had just 70 attack domains between them. That’s good news for .xyz, which in its early days saw 10 times as much phishing abuse.

After .com, the most-abused TLD was .pw, the ccTLD for Palau run by Radix as an unrestricted pseudo-gTLD. It had 374 attack domains in Q4, APWG said.

Other ccTLDs with relatively high numbers included several African zones run as freebies by Freenom, as well as the United Kingdom’s .uk and Brazil’s .br.

Phishing is only one form of cybercrime, of course, and ICANN’s own data shows that when you take into account spam, new gTLDs are actually hugely over-represented.

According to ICANN’s inaugural Domain Abuse Activity Reporting report (pdf), which covers January, over half of cybercrime domains are in the new gTLDs.

That’s almost entirely due to spam. One in 10 of the threats ICANN analyzed were spam, as identified by the likes of SpamHaus and SURBL. DAAR does not include ccTLD data.

The takeaway here appears to be that spammers love new gTLDs, but phishers are far less keen.

ICANN did not break down which gTLDs were the biggest offenders, but it did say that 52% of threats found in new gTLDs were found in just 10 new gTLDs.

This reluctance to name and shame the worst offenders prompted one APWG director, former ICANN senior security technologist Dave Piscitello, to harshly criticize his former employer in a personal blog post last month.

Court rules generic dictionary domains CAN be trademarked

Kevin Murphy, February 11, 2019, Domain Policy

A US appeals court has ruled that generic, dictionary domain names can be trademarked.

The hotel-booking web site Booking.com was told last week that it is in fact eligible to have “Booking.com” registered as a trademark, over the objections of the US Patent and Trademark Office.

The ruling could have a chilling effect on domain name choices in the hotel-booking market.

USPTO had denied the company’s trademark application in 2012 because “Booking.com” was considered too generic.

Under US trademark law, you can’t register a trademark if it merely generically describes the product or service you offer rather than its source.

You couldn’t register “Beer” as a brand of beer, for example, though you might be able to register “Beer” as a brand of shoes.

Booking.com sued to have the USPTO ruling overturned in 2016, and in 2017 a district court judge ruled that “although ‘booking’ was a generic term for the services identified, BOOKING.COM as a whole was nevertheless a descriptive mark”.

USPTO appealed, saying that “Booking.com” is too generic to be trademarked, but last week it lost.

In a 2-1 majority decision, the appeals court ruled:

We hold that the district court, in weighing the evidence before it, did not err in finding that the USPTO failed to satisfy its burden of proving that the relevant public understood BOOKING.COM, taken as a whole, to refer to general online hotel reservation services rather than Booking.com the company… we reject the USPTO’s contention that adding the
top-level domain (a “TLD”) .com to a generic second-level domain (an “SLD”) like booking can never yield a non-generic mark.

Key evidence was a survey Booking.com had submitted that indicated that almost three quarters of consumers understood “Booking.com” to be a brand name, rather than a generic term to describe hotel-booking web sites.

Here are some other extracts of the appeals court majority’s thinking, as they relate to domain names:

Merely appending .com to an SLD does not render the resulting domain name non-generic because the inquiry is whether the public primarily understands the term as a whole to refer to the source or the proffered service.

We… conclude that when “.com” is combined with an SLD, even a generic SLD, the resulting composite may be non-generic where evidence demonstrates that the mark’s primary significance to the public as a whole is the source, not the product

because trademarks only protect the relevant service — here, the district court granted protection as to hotel reservation services but not travel agency services — protection over BOOKING.COM would not necessarily preclude another company from using, for example, carbooking.com or flightbooking.com

In sum, adding “.com” to an SLD can result in a non-generic, descriptive mark upon a showing of primary significance to the relevant public. This is one such case.

The ruling does not appear to protect all uses of a generic dictionary word combined with a TLD, but rather only “rare circumstances” where there’s evidence of a secondary, non-generic meaning.

One judge on the case, James Wynn, was not convinced by the majority’s thinking. He warned that the ruling goes against years of legal precedent and could enable Booking.com to subject competitors to expensive litigation.

In his dissenting opinion, he wrote:

BOOKING.COM is a run-of-the-mill combination of a generic term with a Top Level Domain that creates a composite mark concerning the subject or business encompassed by the generic term—precisely the type of mark that the courts in Hotels.com, Reed Elsevier Properties, 1800Mattress.com, and Advertise.com found did not amount to the “rare circumstance” that warranted affording the domain name trademark protection.

Presumptively allowing protection of domain names composed of a generic Secondary Level Domain and Top Level Domain conflicts with the law’s longstanding refusal to permit registration of generic terms as trademark

Wynn added that he was “not convinced” that Booking.com’s competitors that use the word “booking” in their domains will be protected by the “fair use” defense, and that the existence of such a defense will not prevent Booking.com from suing them out of business regardless.

Put simply, putative competitors may — and likely will — choose not to operate under domain names that include the word “booking” — even if that term best describes the service they offer — because they do not want to incur the expense and risk of defending an infringement action.

The full ruling can be read here (pdf).