Verisign has been given approval to start restricting who can and cannot register .com and .net domain names in various countries.
Customers of Chinese registrars are the first to be affected by the change to the registry’s back-end system, which was made last year.
ICANN last week gave Verisign a “free to deploy” notice for a new “Verification Code Extension” system that enables the company to stop domains registered via selected registrars from resolving unless the registrant’s identity has been verified and the name is not on China’s banned list.
It appears to be the system Verisign deployed in order to receive its Chinese government license to operate in China.
Under Verification Code Extension, Verisign uses ICANN records to identify which registrars are based in countries that have governmental restrictions. I believe China is currently the only affected country.
Those registrars are able to register domains normally, but Verisign will prevent the names from resolving (placing them in serverHold status and keeping them out of the zone file) unless the registration is accompanied by a verification code.
These codes are distributed to the affected registrars by at least two verification service providers. Verisign, in response to DI questions, declined to name them.
Under its “free to deploy” agreement with ICANN (pdf), Verisign is unable to offer verification services itself. It must use third parties.
The company added the functionality to its .com and .net registry as an option in February 2016, according to ICANN records. It seems to have been implemented last July.
A Verisign spokesperson said the company “has implemented” the system.
The Verification Code Extension — technically, it’s an extension to the EPP protocol pretty much all registries use — was outlined in a Registry Services Evaluation Process request (pdf) last May, and approved by ICANN not long after.
Verisign was approved to operate in China last August in the first wave of gTLD registries to obtain government licenses.
Under Chinese regulations, domain names registered in TLDs not approved by the government may not resolve. Registrars are obliged to verify the identities of their registrants and names containing certain sensitive terms are not permitted.
Other gTLDs, including .vip, .club, .xyz .site and .shop have been granted approval over the last few months.
Some have chosen to work with registration gateway providers in China to comply with the local rules.
Apart from XYZ.com and Verisign, no registry has sought ICANN approval for their particular implementation of Chinese law.
Because Chinese influence over ICANN is a politically sensitive issue right now, it should be pointed out that the Verification Code Extension is not something that ICANN came up with in response to Chinese demands.
Rather, it’s something Verisign came up with in response to Chinese market realities. ICANN has merely rubber-stamped a service requested by Verisign.
This, in other words, is a case of China flexing market muscle, not political muscle. Verisign, like many other gTLD registries, is over-exposed to the Chinese market.
It should also be pointed out for avoidance of doubt that the Chinese restrictions do not apply to customers of non-Chinese registrars.
However, it appears that Verisign now has a mechanism baked into its .com and .net registries that would make it much easier to implement .com restrictions that other governments might choose to put into their own legislation in future.
The .com domain is still the runaway leader TLD for phishing, with new gTLDs still being used for a tiny minority of attacks, according to new research.
.com domains accounted for 51% of all phishing in 2016, despite only having 48% of the domains in the “general population”, according to the 2017 Phishing Trends & Intelligence Report
from security outfit PhishLabs.
But new gTLDs accounted for just 2% of attacks, despite separate research showing they have about 8% of the market.
New gTLDs saw a 1,000% increase in attacks on 2015, the report states.
The statistics are based on PhishLabs’ analysis of nearly one million phishing sites discovered over the course of the year and include domains that have been compromised, rather than registered, by attackers.
The company said:
Although the .COM top-level domain (TLD) was associated with more than half of all phishing sites in 2016, new generic TLDs are becoming a more popular option for phishing because they are low cost and can be used to create convincing phishing domains.
There are a few reasons new gTLDs are gaining traction in the phishing ecosystem. For one, some new gTLDs are incredibly cheap to register and may be an inexpensive option for phishers who want to have more control over their infrastructure than they would with a compromised website. Secondly, phishers can use some of the newly developed gTLDs to create websites that appear to be more legitimate to potential victims.
Indeed, the cheapest new gTLDs are among the worst for phishing — .top, .xyz, .online, .club, .website, .link, .space, .site, .win and .support — according to the report.
But the numbers show that new gTLDs are significantly under-represented in phishing attacks.
According to separate research from CENTR, there were 309.4 million domains in existence at the end of 2016, of which about 25 million (8%) were new gTLDs.
Yet PhishLabs reports that new gTLD domains were used for only about 2% of attacks.
CENTR statistics have .com with a 40% share of the global domain market, with PhishLabs saying that .com is used in 51% of attacks.
The difference in the market share statistics between the two sets of research is likely due to the fact that CENTR excludes .tk from its numbers.
Again, because PhishLabs counts hacked sites — in fact it says the “vast majority” were hacked — we should probably exercise caution before attributing blame to registries.
But PhishLabs said in its report:
When we see a TLD that is over-represented among phishing sites compared to the general population, it may be an indication that it is more apt to being used by phishers to maliciously register domains for the purposes of hosting phishing content. Some TLDs that met these criteria in 2016 included .COM, .BR, .CL, .TK, .CF, .ML, and .VE.
By far the worst ccTLD for phishing was Brazil’s .br, with 6% of the total, according to the report.
Also notable were .uk, .ru, .au, .pl, and .in, each with about 2% of the total, PhishLabs said.
The domain name industry is kicking off one of its most fundamental shifts in its plumbing this week.
Over the next two years, Verisign and every registrar that sells .com domains will have to rejigger their systems to convert .com from a “thin” to “thick” Whois.
This means that by February 1, 2019, Verisign will for the first time control the master database of all Whois records for .com domains, rather than it being spread piecemeal across all registrars.
The switch comes as a result of a years-in-the-making ICANN policy that officially came into force yesterday. It also applies to .com stablemates .net and .jobs.
The first big change will come August 1 this year, the deadline by which Verisign has to give all of its registrars the ability to submit thick Whois records both live (for new regs) and in bulk (for existing ones).
May 1, 2018 is the deadline for all registrars to start submitting thick Whois for new regs to Verisign, but they can start doing so as early as August this year if they want to.
Registrars have until February 1, 2019 to supply Verisign with thick Whois for all their existing registrations.
There’s a process for registrars who believe they would be violating local privacy laws by transferring this data to US-based Verisign to request an exemption, which may prevent the transition going perfectly uniformly.
Some say that the implementation of this policy may allow Verisign to ask for the ability to ask a for an increase in .com registry fees — currently frozen at the command of the US government — due to its inevitably increased costs.
Personally, I think the added costs will likely be chickenfeed compared to the cash-printing machine that is .com, so I think it’s far from a slam-dunk that such fee increases would be approved.
Verisign could be running a “thick” Whois database for .com, .net and .jobs by mid-2017, under a new ICANN proposal.
A timetable published this week would see the final three hold-out gTLDs fully move over to the standard thick Whois model by February 2019, with the system live by next August.
Some people believe that Verisign might use the move as an excuse to increase .com prices.
Thick Whois is where the registry stores the full Whois record, containing all registrant contact data, for every domain in their TLD.
The three Verisign TLDs currently have “thin” Whois databases, which only store information about domain creation dates, the sponsoring registrar and name servers.
The model dates back to when the registry and registrar businesses of Verisign’s predecessor, Network Solutions, were broken up at the end of the last century.
But it’s been ICANN consensus policy for about three years for Verisign to eventually switch to a thick model.
Finally, ICANN has published for public comment its anticipated schedule (pdf) for this to happen.
Under the proposal, Verisign would have to start offering registrars the ability to put domains in its thick Whois by August 1 2017, both live via EPP and in bulk.
It would not become obligatory for registrars to submit thick Whois for all newly registered domains until May 1, 2018.
They’d have until February 1, 2019 to bulk-migrate all existing Whois records over to the new system.
Thick Whois in .com has been controversial for a number of reasons.
Some registrars have expressed dissatisfaction with the idea of migrating part of their customer relationship to Verisign. Others have had concerns that local data protection laws may prevent them moving data in bulk overseas.
The new proposal includes a carve-out that would let registrars request an exemption from the requirements if they can show it would conflict with local laws, which holds the potential to make a mockery out of the entire endeavor.
Some observers also believe that Verisign may use the expense of building and operating the new Whois system as an excuse to trigger talks with ICANN about increasing the price of .com from its current, frozen level.
Under its .com contract, Verisign can ICANN ask for a fee increase “due to the imposition of any new Consensus Policy”, which is exactly what the move to thick Whois is.
Whether it would choose to exercise this right is another question — .com is a staggeringly profitable cash-printing machine and this Whois is not likely to be that expensive, relatively speaking.
The proposed implementation timetable is open for public comment until December 15.
Have you ever heard of .com, .net and .org?
That question was posed to 3,349 domain name registrants in 24 countries by market research firm Nielsen this June and guess what — awareness of all three cornerstone gTLDs was down on a comparable 2015 survey.
Unbelievably, only 85% of respondents professed to be aware of .com’s existence, compared to 86% in 2015.
Equally unbelievably, awareness of .net and .org fell from 76% to 69% and from 70% to 65% respectively between 2015 and 2016, the survey found.
Those are just three among many hundreds of findings of the Nielsen survey, which was carried out in order to inform ICANN’s Competition, Consumer Trust & Consumer Choice Review.
The CCT is one of the reviews deemed mandatory before ICANN is able to launch the next round of new gTLD applications.
A great many of the numbers revealed by the survey are seriously open to question — some could even be empirically proven wrong.
But David Dickinson, project lead for Nielsen on the survey, told DI yesterday that the numbers themselves are less important than the trends, or lack thereof, that they might represent.
Nielsen carried out two surveys in 2015 — one of consumers and one of registrants — then repeated both surveys again a year later.
Respondents were selected from a pool of people who have at some point indicated to third-party market research companies that they are available to take surveys online, Dickinson said. They are usually compensated via some kind of redeemable loyalty points scheme.
The registrant surveys were limited to those who said they have registered a domain name. The consumer survey was limited to those who said they spend more than five hours a week online.
While the number of respondents were measured in the low thousands, the idea is that they provide a representative sample of all internet users and domain name registrants.
But there’s a lot of weirdness in the numbers.
Dickinson said that the 85% awareness number for .com could be due partly to random “mechanical errors” — people clicking the wrong buttons on their survey form — but said that lack of awareness was more common among younger respondents who were more likely to be aware of newer, less generic TLDs.
The surveys also highlighted a bizarre split in TLD awareness between consumers and registrants.
Given that registrants are a subset of consumers, and given that they are by definition more familiar with domain names, you’d expect respondents to the registrant surveys to show higher TLD awareness than those responding to the consumer surveys.
But the opposite was true.
The surveys found, for example, that 95% of consumers knew about .com, but only 85% of registrants did. For .net and .org the numbers were 88%/69% and 83%/65% respectively. None of it makes any sense.
Dickinson said that the 2015 consumer/registrant awareness numbers were “almost identical”.
“My only real conclusion here is that [in 2016] there was some systematic difference in the diligence that the registrants selected these names on these awareness questions, and that a large portion of that is just due to random variation,” he said.
“However, when we do look at those people who are registering new gTLDs, they tended to have much lower awareness of those legacy gTLDs than those people who were unaware or had not registered those new gTLDs,” he said.
“The people who said they did not recognize any of those new gTLDs at all the are very very centric on the legacy gTLDs and in particular .com,” he said.
“I think the data is overstated because of the random variation but there is a learning here when we break it down… that those legacy domains are becoming less relevant or less noticed by the younger people and the people who are registering these new gTLDs,” he said.
“I think there is a shift going on, but it’s not as big as what is stated here [in the numbers],” he said.
The surveys also looked at awareness and registration levels for new, 2012-round gTLDs, but again the numbers probably don’t accurately reflect reality.
For example, 39% of registrants claimed to have heard of .email domain names and 15% claimed to have actually registered one.
Again, these numbers don’t seem plausible. There are fewer than 60,000 .email domains in existence today. Even if there were only one million domain registrants in the world, 15% registration rate would mean at least 150,000 names should have been sold.
Dickinson said that this number could have been higher due to selection bias. The survey took about half an hour on average to fill out, so people more personally interested or invested in internet or domain name related stuff might have been more likely to stick around and complete it.
Interestingly, new gTLD awareness rates in North America were substantially lower than awareness elsewhere in the world. For example, only 25% of North Americans professed to have heard of .news, but that grew to 42% in Asia where most languages use a different script.
My sense here is that respondents — which all took the surveys in their native languages — may have just been clicking to confirm English words they recognized, rather than TLDs they had seen in the wild.
Nielsen clearly suspected that there would be an element of “false recall” among respondents because it actually included some fake TLDs among the real ones.
This led to findings such as: 26% of Africans have heard of .cairo, 17% of North Americans have heard of .toronto and 21% of South Americans have heard of .bogota.
None of those city TLDs exist.
Dickinson explained this as “assumed familiarity”.
“What very much seems to happen is that if something has an implied ‘face validity’ — it seems to make sense or seems to be readily interpretable — then those ones will get higher stated awareness than the ones that are just random letters, such as .xyz,” he said.
Indeed, while there are over six million .xyz domains out there today, with high-profile registrants including Google, only 13% of respondents claimed to be aware of it.
“The more implied familiarity or sense of familiarity there is, the more likely people are to feel like they’ve been there or seen it, so it’s definitely a false recall, but the learning from that is that the more interpretable… those things are then they have more easy acceptance by consumers than things that are not interpretable,” Dickinson said.
The surveys did not only cover awareness and registration patterns. There are literally hundreds of data points in there covering different perceptions of TLDs new and old. I’ve just focused here on the ones that made me question whether the survey was worth the time, expense and paper it was written on.
But Dickinson said that the raw numbers are not necessarily what the ICANN review teams should be looking at.
“Maybe the absolute number is not exactly dead-on, but what are the relationships between the numbers?” he said.
“I tend to look at the relationships, so for example one of the objectives of doing this survey was to see if the new gTLD program impacted the perception of the industry in any way, or trustworthiness in the industry,” he said.
“For example, we can say we’re not sure it improved — the numbers didn’t change significantly in that direction to allow us to definitively say it improved — but it certainly did not decline,” he said. “We can rule out that it declined.”
“Overall, we can say that the new gTLD program is emerging with fairly strong awareness, relative,” he said.
“We can also say with certainty that none of those new gTLDs are anywhere approaching the awareness of the legacy gTLDs, and even if there is some erosion in the legacy gTLDs it’s going to take a long time for those to reach parity, if they ever do,” he said.
The Nielsen surveys are one input to the work of the volunteer CCT Review Team, which intends to publish its preliminary report before the end of the year.
CCT-RT chair Jonathan Zuck recently published a blog post on the ICANN web site giving a progress report on recent work.