Latest news of the domain name industry

Recent Posts

Human glitch lets hackers into ICANN

Kevin Murphy, December 17, 2014, Domain Policy

It’s 2014. Does anyone in the domain name business still fall for phishing attacks?

Apparently, yes, ICANN staff do.

ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.

According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.

CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.

But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.

While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:

The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.

As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.

It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.

Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.

User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.

In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.

It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.

While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.

That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.

For only the second time, ICANN tells the GAC to get stuffed

Kevin Murphy, November 3, 2014, Domain Policy

ICANN’s board of directors has decided to formally disagree with its Governmental Advisory Committee for what I believe is only the second time in the organization’s history.

In a letter to new GAC chair Thomas Schneider today, ICANN chair Steve Crocker took issue with the fact that the GAC recently advised the board to cut the GNSO from a policy-making decision.

The letter kick-starts a formal “Consultation Procedure” in which the board and GAC try to reconcile their differences.

It’s only the second time, I believe, that this kind of procedure — which has been alluded to in the ICANN bylaws since the early days of the organization — has been invoked by the board.

The first time was in 2010, when the board initiated a consultation with the GAC when they disagreed about approval of the .xxx gTLD.

It was all a bit slapdash back then, but the procedure has since been formalized somewhat into a seven-step process that Crocker outlined in an attachment to his letter (pdf) today.

The actual substance of the disagreement is a bit “inside baseball”, relating to the long-running (embarrassing, time-wasting) saga over protection for Red Cross/Red Crescent names in new gTLDs.

Back in June at the ICANN 50 public meeting in London, the GAC issued advice stating:

the protections due to the Red Cross and Red Crescent terms and names should not be subjected to, or conditioned upon, a policy development process

A Policy Development Process is the mechanism through which the multi-stakeholder GNSO creates new ICANN policies. Generally, a PDP takes a really long time.

The GNSO had already finished a PDP that granted protection to the names of the Red Cross and Red Crescent in multiple scripts across all new gTLDs, but the GAC suddenly decided earlier this year that it wanted the names of 189 national Red Cross organizations protected too.

And it wasn’t prepared to wait for another PDP to get it.

So, in its haste to get its changing RC/RC demands met by ICANN, the GAC basically told ICANN’s board to ignore the GNSO.

That was obviously totally uncool — a slap in the face for the rest of the ICANN community and a bit of an admission that the GAC doesn’t like to play nicely in a multi-stakeholder context.

But it would also be, Crocker told Schneider today, a violation of ICANN’s bylaws:

The Board has concerns about the advice in the London Communiqué because it appears to be inconsistent with the framework established in the Bylaws granting the GNSO authority to recommend consensus policies to the Board, and the Board to appropriately act upon policies developed through the bottom-up consensus policy developed by the GNSO.

Now that Crocker has formally initiated the Consultation Procedure, the process now calls for a series of written and face-to-face interactions that could last as long as six months.

While the GAC may not be getting the speedy resolution it so wanted, the ICANN board’s New gTLD Program Committee has nevertheless already voted to give the Red Cross and Red Crescent the additional protections the GAC wanted, albeit only on a temporary basis.

Two-letter domains to be released in new gTLDs

Kevin Murphy, October 20, 2014, Domain Registries

New gTLD registries will be able to release all two-character strings in their zones, following an ICANN decision last week.

The ICANN board of directors voted on Thursday to instruct ICANN’s executive to

develop and implement an efficient procedure for the release of two-character domains currently required to be reserved in the New gTLD Registry Agreement

The procedure will have to take into account the advice of the Governmental Advisory Committee issued at the end of last week’s ICANN 51 meeting in Los Angeles.

But that advice merely asks that governments are informed when a registry requests the release of two-character names.

All two-character strings were initially reserved due to the potential for confusion with two-letter ccTLDs.

But the GAC decided in LA that it doesn’t really have a problem with such strings being released, with some governments noting that ccTLD second-levels such as us.com and uk.com haven’t caused a problem to date.

The board’s decision is particularly good news for dot-brand applicants that may want to run domains such as uk.google or de.bmw to service specific regions where they operate.

Registries representing over 200 new gTLDs have already filed Registry Service Evaluation Process requests for the release of some two-character strings (some including ccTLD matches, some not).

It’s not yet clear how ICANN will go about removing the two-character restriction.

It may be more efficient to offer all registries a blanket amendment to the RA rather than process each RSEP request individually as it is today.

However, because the GAC has asked for notification on a case-by-case basis, ICANN may be forced to stick to the something along the lines of the existing procedure.

Bulgaria and Greece win IDN ccTLDs on appeal

Kevin Murphy, October 15, 2014, Domain Policy

Campaigns in Bulgaria and Greece to get ICANN to un-reject their Cyrillic and Greek-script ccTLD requests have proven successful.

The first decisions handed down by ICANN’s new Extended Process Similarity Review Panel this week said Bulgaria’s .бг and Greece’s .ελ are not “confusingly similar” to other ccTLDs after all.

However, a third appeal by the European Union over the Greek .ευ was rejected on the grounds that the string is too confusingly similar to .EV and .EY when in upper case.

Confusing strings should not be delegated, under ICANN rules, due to the risk of exacerbating the prevalence of security risks such as phishing attacks.

Bulgaria’s initial request for .бг was turned down in 2010 after a panel found it looks too similar to Brazil’s existing ccTLD, .br.

Greece’s bid for .ελ had been blocked for looking too much like .EA, a non-existent ccTLD that could be delegated to a new country in future.

While the initial panel’s process was pretty opaque, the newly published “extended” reviews appear to have employed a fairly scientific methodology to determine similarity.

Twenty American undergraduate student volunteers were shown pairs of strings briefly on screens designed to simulate web browsing. They then had to pick out which one they’d seen.

The volunteers were also shown pairs of similar-looking Latin-script ccTLDs that already exist, in order to establish a baseline for what should be considered an acceptable level of confusability.

The Greek and Bulgarian strings were both found to be less confusing than existing pairs of Latin-script ccTLDs and were therefore given the thumbs-up. The EU string flunked in upper case.

Under ICANN’s rules, it appears that .бг and .ελ can now proceed to delegation, while .ευ has been forever rejected.

The three reports can be downloaded here.

It will be interesting to see how the ICANN Governmental Advisory Committee will react to this.

It was pressure from the GAC — driven by the European Commission and Greece — back in 2012 that forced ICANN into creating the appeals process.

At ICANN’s meeting in Prague that year, the GAC said:

The GAC is of the view that decisions may have erred on the too-conservative side, in effect applying a more stringent test of confusability between Latin and non-Latin scripts than when undertaking a side by side comparison of Latin strings.

Now the EU seems to have been told that it still can’t have its requested ccTLD, and the standard applied was exactly the same standard as applies to Latin ccTLDs.

Will the GAC accept this determination, or stomp its feet?

GAC elects Swiss rep as new chair

Kevin Murphy, October 14, 2014, Domain Policy

ICANN’s Governmental Advisory Committee has elected Thomas Schneider of the Swiss government as its new chair.

The unprecedented, one-nation-one-vote secret ballot election at the ICANN 51 public meeting in Los Angeles today saw Schneider beat Lebanon’s Imad Hoballah by 61 votes to 37.

He will take over from Canadian incumbent Heather Dryden at the end of the week.

Schneider is deputy head of international affairs at the Swiss Federal Office of Communications (Ofcom).

He currently serves as one of the GAC’s three vice chairs.

The election was overseen by the Australian Continuous Improvement Group, which provides the GAC with ICANN-independent secretariat services.

Governments totally cool with two-letter domains

Kevin Murphy, October 13, 2014, Domain Registries

ICANN’s Governmental Advisory Committee does not plan to advise against the release of two-character domain names in new gTLDs.

In fact, judging by a GAC discussion at ICANN 51 in Los Angeles yesterday, the governments of many major nations are totally cool with the idea.

Under the standard Registry Agreement for new gTLD registries, all two-character domains (any combination of letters, numbers) must not be sold or activated in the DNS.

The blanket ban was designed to avoid clashes with two-letter ccTLD codes, both existing and future.

ICANN left the door open for registries to request the release of such names, however, and many companies have formally applied to do so via the Registry Services Evaluation Process.

Some registries want all two-character domains released, others have only asked for permission to sell those strings that do not match allocated ccTLDs.

There seems to have been an underlying assumption that governments may want to protect their geographic turf. That assumption may turn out to be untrue.

Representatives from the United States, Netherlands, Spain, Denmark, Australia, Austria and Iran all said yesterday that the GAC should not issue formal advice against the the two-character proposals.

No governments opposed that apparent consensus view.

“The use of the ‘US’ two-letter country code at the second level has not presented any technical or policy issues for the United States,” US rep Suzanne Radell said.

“We, in fact, do not require any approval for the use of US two-character country codes at the second level in existing gTLDs, and do not propose to require anything for new gTLDs,” she said.

She even highlighted domains such as us.com and us.org — which are marketed by UK-based CentralNic as alternatives to the .us ccTLD — as being just fine and dandy with the US government.

It seems likely that the GAC will instead suggest to ICANN that it is the responsibility of individual governments to challenge the registries’ requests via the RSEP process.

“What we see at the moment is that ICANN is putting these RSEP requests out for public comment and it would be open to any government to use that public comment period if they did feel in some instances that there was a concern,” Australian GACer Peter Nettlefold said.

I’ve not been able to find any government comments to the relevant RSEP requests.

For example, Neustar’s .neustar, which proposes the release of all two-character strings including country codes, has yet to receive a comment from a government.

Many comments in other RSEP fora appear to be from fellow dot-brand registries that want to use two-letter codes to represent the countries where they operate.

ICANN holds its ground on weaseled GAC advice

Kevin Murphy, September 11, 2014, Domain Policy

While many members of the community are getting upset about the plan to make it harder for ICANN’s board to overrule GAC advice, today we got a reminder that the board is not the GAC’s lapdog.

The New gTLD Program Committee is standing firm on the way it creatively reinterpreted Governmental Advisory Committee advice to make it less punishing on a few dozen new gTLD registries.

The NGPC passed a resolution on Monday approving an updated scorecard to send to the GAC. ICANN chair Steve Crocker delivered it to GAC chair Heather Dryden yesterday.

A “GAC scorecard” is a table of the GAC’s demands, taken from the formal advice it issues at the end of each public meeting, with the NGPC’s formal responses listed alongside.

The latest scorecard (pdf) addresses issues raised in the last five ICANN meetings, dating back to the Beijing meeting in April 2013.

The issues mainly relate to the GAC’s desire that certain new gTLDs, such as those related to regulated industries, be locked down much tighter than many of the actual applicants want.

One big point of contention has been the GAC’s demand that registrants in gTLDs such as .attorney, .bank and .doctor should be forced to provide a relevant licence or other credentials at point of sale.

The GAC’s exact words, from its Beijing communique (pdf), were:

At the time of registration, the registry operator must verify and validate the registrants’ authorisations, charters, licenses and/or other related credentials for participation in that sector.

However, when the NGPC came up with its first response, in November last year, it had substantially diluted the advice. The creative reinterpretation I mentioned earlier read:

Registry operators will include a provision in their Registry-Registrar Agreements that requires Registrars to include in their Registration Agreements a provision requiring a representation that the Registrant possesses any necessary authorisations, charters, licenses and/or other related credentials for participation in the sector associated with the Registry TLD string.

In other words, rather than presenting your medical licence to a registrar when buying a .doctor domain, registrants would merely assert they have such a licence on the understanding that they could lose their domain if they fail to present it on demand in future.

The GAC, which isn’t entirely stupid, spotted ICANN’s reimagining of the Beijing communique.

At the Singapore meeting this March, it issued a list of passive-aggressive questions (pdf) for the NGPC, noting that its Beijing advice had been “amended” by the board and wondering whether this would lead to “greater risks of fraud and deception” in new gTLDs.

ICANN’s response this week is quite lengthy.

The NGPC said it had “to balance many competing positions” when figuring out how to respond to the Beijing communique, and that it tried “to address all of the completing concerns in a way that respected the spirit and intent of the GAC’s advice.”

The committee gives a number of examples (starting on page 15 of this PDF) explaining why the GAC’s original demands would be unreasonably burdensome not only on registries and registrars but also on registrants.

Here’s one example:

consider a potential registrant that is a multinational insurance company seeking to register a domain name in the .insurance TLD. Suppose the multinational insurance company has locations in over 30 countries, including the United States and Kenya. If the potential registrant insurance company attempts to register a domain name in the .insurance TLD, would that trigger an obligation to verify and validate its credentials, licenses, charters, etc. in the location of its headquarters, or all of the places around the globe where it does business. Is it realistic for a Registry Operator or Registrar to have the knowledge and expertise to determine precisely what credentials or authorizations are required in every country around the world (and in every city, county or other political division if those political subdivisions also require credentials [e.g. in the United States, insurance is primarily regulated at the state level and require a license in each of the 50 states])?

The short version is that the NGPC isn’t budging on this particular issue.

Rather than backpedaling, it’s giving the GAC the reasons it disagreed with its advice and explaining how it attempted to at least comply with the spirit, if not the letter, of Beijing.

As far as I can tell, that seems to be the case in each of the 39 items in the new scorecard — explanation not capitulation. Read the full thing here.

Governments to get more power at ICANN

Kevin Murphy, August 18, 2014, Domain Policy

Governments are to get more power to influence ICANN’s board of directors.

Under a proposal launched late Friday, ICANN plans to make it harder for the board to reject the often-controversial advice of the Governmental Advisory Committee.

Today, the board is able to reject GAC advice with a simple majority vote, which triggers a consultation and reconciliation process.

Following the proposed changes to the ICANN bylaws, the threshold would be increased to a two-thirds majority.

The change is to be made following the recommendations of the Board-GAC Recommendations Implementation Working Group, made up of members of the board and the GAC.

The new rule would bring the GAC into line with the multistakeholder Generic Names Supporting Organization. The ICANN board also needs a two-thirds vote to reject a formal GNSO recommendation.

The differences between the GAC and the GNSO include the lack of detailed industry awareness GAC members regularly demonstrate during their public meetings, and the fact that GAC advice regularly comprises deliberately vague negotiated language that ICANN’s board has a hard time interpreting.

That disconnect may improve in future due to the recent creation of a GAC-GNSO liaison position, designed to keep the GAC up to date with policy goings-on between the thrice-yearly ICANN meetings.

The proposed bylaws change is open for public comment, but appears to be a fait accompli; the board has already said it will use the higher voting threshold if called to make a decision on GAC advice prior to its formal adoption.

US winemakers rebel against their government

Kevin Murphy, July 3, 2014, Domain Policy

Groups representing thousands of US winemakers have come out against .wine and .vin, bringing their government’s position on the two proposed new gTLDs into question.

Seven regional associations, representing close to 2,000 wineries, issued a statement last night raising “strong objections” to the gTLDs with “non-existent to grossly insufficient safeguards”.

The joint statement says:

If granted to unscrupulous bidders, second-level domain names such as napavalley.wine or wallawalla.wine could be held in perpetuity by a company or individual that has never seen a vineyard, cultivated fine wine grapes or made a single bottle of wine.

It’s the first mass objection from US winemakers, but they join colleagues from France, Spain and other European Union nations in their opposition to a .wine that does not respect geographic indicators (GIs).

It also makes the US delegation to ICANN’s Governmental Advisory Committee look rather out of touch with the very companies it professes to be looking out for.

At the ICANN 50 meeting in London last week, US rep Suzanne Radell told the GAC:

The three U.S. wineries that our colleagues in Europe have cited as being privy to the exchanges between the European wine industries and the applicants are, in fact, just three U.S. wineries. If I may emphasize, the United States has thousands and thousands of wineries who are quite interested in this matter and do not support the European model of GI protection. So let’s just please put that to bed.

The US winery groups now objecting comprise almost 2,000 wineries. According to Wikipedia, the US has fewer than 3,000 wineries.

We’re looking at a two-thirds majority objection from the US wine-making industry here.

“The coalition of American quality wine regions representing nearly 2,000 U.S. wineries clearly contradicts Radell’s testimony in London on June 22,” the groups said.

The groups also have Californian congresspeople Anna Eshoo and Mike Thompson on their side. As we reported yesterday, Eshoo has already written to ICANN to urge it to kill off .wine.

The big questions are: will this be enough to change the position the US takes to the GAC in future, and will that help the GAC find consensus on anti-.wine advice?

Australia and Canada have also been vocal opponents of the European demands in the past. They’d need to change their minds too, in order for the GAC to find a new consensus.

Without a GAC consensus, the .wine and .vin applicants have little to worry about.

France slams ICANN after GAC rejects special treatment for .wine

Kevin Murphy, June 26, 2014, Domain Policy

France says that “ICANN is no longer the appropriate forum to discuss Internet governance” after it failed to win support from other governments for special protections in .wine and .vin gTLDs.

The government came to ICANN 50 in London this week apparently determined to secure a Governmental Advisory Committee consensus that .wine should have protection for geographic indicators.

GIs are protected geographic terms such as “Champagne”, “Parma” and “Cheddar” that link a product to the region in which it is traditionally produced. France has a lot of wine-related GIs.

But the GAC — as I think everyone, including France, expected — failed to come to an agreement.

The GAC’s London communique (pdf) reads:

There was further discussion on the issue of .wine/.vin, but no agreement was reached because of the sensitive nature of the matter.

The matter of .wine and .vin was raised at the High Level Governmental Meeting, where some members expressed concerns in terms of ICANN’s accountability and public policy. These concerns are not shared by all members.

In the absence of a consensus GAC objection, the most likely outcome is ICANN pushing the competing .vin/.wine applicants along the contention resolution process to auction.

France has won a lot of media coverage this week, throwing out allegations such as the idea that ICANN is “opaque”, and questioning ICANN’s ability to do its job properly.

Quizzed about France’s statements at a press conference on Monday, ICANN CEO Fadi Chehade pointed out that studies have show ICANN is extremely transparent and wondered aloud whether France’s position is the one where you “scream that everything’s broken when you don’t get what you want”.

Today’s French statement is a little, but not much, more relaxed. Translated, it partially reads:

Current procedures at ICANN highlight its inability to take into account the legitimate concerns of States and to ensure common resource management in the direction of respect for cultural diversity and balance of interests in economic sectors that its decisions affect.

Accordingly, it will propose to its European partners and all other stakeholders to reflect on the future of Internet governance based on transparency, accountability, and equal stakeholders. Commission also believes that ICANN is no longer the appropriate forum to discuss Internet governance.

The government did, however, reiterate its support for the notion of multi-stakeholder internet governance.

French wine producers were less diplomatic. We received a statement from ANEV, the Association Nationale des Elus de la Vigne et du vin, this afternoon that called upon the French government and European Union to block all domain names that use GIs in violation of local law.

Personally, I don’t think that’s going to happen.

During an ICANN session on Monday, the French GAC rep used the .wine controversy to call for the creation of a “General Assembly” at ICANN.

I’m working from the transcript, which has been translated by ICANN into English, and some media reports, but it seems that France is thinking along the lines of an ITU-style, voting-based rather than consensus-based, approach to generating GAC advice. I may be wrong.

During Monday’s press conference, Chehade did not oppose France’s suggestions, though he was careful to point out that it would have to be approved by the whole ICANN community first (implicitly a tall order).

A vote-based GAC could well favor European Union countries, given the make-up of the GAC right now.

On the .wine issue, it’s mainly a few Anglophone nations such as the US, Canada and Australia that oppose extra GI protections.

These nations point out that the GI issue is not settled international law and is best dealt with in venues such as the World Trade Organization and the World Intellectual Property Organization.

France actually says the same thing.

But while France says that ICANN’s refusal to act on .wine jeopardizes GI talks in other fora, its opponents claim that if ICANN were to act it would jeopardize the same talks.

Chehade said during the Monday press conference that France had not yet run out of ways to challenge ICANN’s position on this, so the story probably isn’t over yet.