Go Daddy has rushed out a fix to a security bug in its web site that could have allowed attackers to steal valuable domain names.
Security engineer Dylan Saccomanni found several “cross site request forgery” holes January 17, which he said could be used to “edit nameservers, change auto-renew settings and edit the zone file entirely”.
He reported it to Go Daddy (evidently with some difficulty) and blogged it up, with attack code samples, January 18. Go Daddy reportedly patched its site the following day.
A CSRF vulnerability is where a web site fails to adequately validate data submitted via HTTP POST. Basically, in this case Go Daddy apparently wasn’t checking whether commands to edit name servers, for example, were being submitted via the correct web site.
Mitigating the risk substantially, attackers would have to trick the would-be victim domain owner into filling out a web form on a different site, while they were simultaneously logged into their Go Daddy accounts, in order to exploit the vulnerability, however.
In my experience, Go Daddy times out logged-in sessions after a period, reducing the potential attack window.
Being phishing-aware would also reduce your chance of being a victim.
I’m not aware of any reports of domains being lost to this attack.
Judging by DI’s traffic spike last night, there’s a lot of interest in Google Domains, Google’s forthcoming entry into the domain name registrar market.
And judging by some of the early commentary, it seems that many people are already assuming that the service will be an overnight success.
Some people already seem to be willing to write off market leader Go Daddy specifically, for some peculiar reason.
I’ve even heard speculation that Google timed its announcement to screw with Go Daddy’s imminent IPO, which strikes me as veering into conspiracy theory territory.
While I’ve no doubt Go Daddy and other mass-market retail registrars will be watching Google’s move with interest and concern — and there are some reasons to be worried — let’s not jump the gun here.
Let’s calm the hyperbole a little. Off the top of my head, here are a handful of reasons not to get excited just yet.
1. It could be a really shitty product
There seems to be an assumption in some quarters that whatever Google brings to market will be automatically incredible, but the company really doesn’t have the track record to support that assumption.
Sure, its search engine may be great and services such as Gmail and Adsense may be pretty good, but have you ever tried Blogger?
Do you actually use Google+, or do you only have an account because Google forced you?
The truth is that lots of Google products fail.
And we haven’t even seen Google Domains yet. Nobody has. Only Google employees and their buddies are going to get beta access, so it seems we’re going to be waiting a while before we can judge.
2. There’s no 24×7 support
Google Domains will launch with support via email and phone from 9am to 9pm US Eastern time, Monday to Friday.
Would you switch to a registrar that doesn’t have round-the-clock support seven days a week? As a small business owner who makes his living from his web site, I sure wouldn’t.
If Google Domains gains traction you can expect support hours to be expanded pretty quickly, but a lack of 24×7 support at launch will keep many customers away.
3. It’s not free
Some people seem to be obsessed with the notion that Google is going to give away free domains, and that kind of commentary is continuing even though we know Google Domains will charge $12 for a .com.
Its email service may come at no additional cost, but its email service is Gmail, and that’s already free. Google could hardly start charging an add-on fee for something that’s always been free.
Google Domains may offer free privacy too, but so do lots of other registrars.
In future, Google registry arm Charleston Road Registry may give away free names in some of its new gTLDs, but if it does so that price will have to be available to all registrars, not just Google Domains.
Google Domains isn’t free. It’s not even the cheapest registrar on the market.
4. Go Daddy is gigantic
According to its recent regulatory filings, Go Daddy has 57 million domains under management and 12 million customers.
How many of those do you think will make the switch to Google? How many will even know that such a switch is possible?
Switching registrars may be relatively straightforward if everything you own is parked, but it becomes more complex when you’re running your web site, email and so forth on your registrar’s platform.
These kinds of small business owners are the customers being targeted by Google and Go Daddy, and if they already have web sites they’re likely already experiencing registrar lock-in.
According to its announcement, Google is targeting greenfield opportunities — the 55% of small businesses it estimates don’t have an online presence today — rather than grabbing market share from rivals.
The “small businesses need to get online” story is common to every press release issued by every web host and domain registrar with a price promotion to plug.
When Google teamed up with Blacknight to give away domains for free — for FREE, so it is, so it is — to Irish small businesses, it managed to sign up 10,000 in one year.
How long do you think it will take Google to get to 57 million names under management?
Go Daddy has filed its S-1 registration form with the US Securities and Exchange Commission, signalling its intention to go public.
The filing reveals the company plans to raise $100 million with the share sale.
Go Daddy’s revenue for 2013 was $1.1 billion, up from $910.9 million in 2012, the filing reveals.
But the company said it uses “bookings” as a measure of its success, due to the way its revenue is collected up-front but recognized on its books over the term of the domain or hosting contract.
Bookings were $1.4 billion in 2013, up from $1.25 billion in 2012.
Go Daddy is loss-making, recording a net loss of $199.8 million in 2013 and $279 million in 2012.
The company has 57 million domains under management and hosts 8.5 million web sites, according to the S-1. Those are spread between 12 million customers, a number that grew by 1.3 in 2013.
A surprising 24% of its sales come via its customer service people; the rest comes through its web site.
Go Daddy planned to IPO in 2006, but subsequently yanked the offering due to “market uncertainties” and then-CEO Bob Parsons’ apparent discomfort with the process.
In 2011 the company was taken over by the investment firms KKR, Silver Lake Partners, and Technology Crossover Ventures, paying a reported $2.25 billion for a 65% stake.
Since then, an eventual IPO has not been a matter of if, but when.
I’m tweeting more nuggets from the S-1 as I find them.
The new .club gTLD went into the top 10 new gTLDs by volume in the “first instants” of general availability this afternoon, according to the registry and partner Go Daddy.
.CLUB Domains CEO Colin Campbell told DI, about two hours after the 1500 UTC GA launch, “We’ll let the zone files speak for themselves, but we were well within the top 10 a few minutes after we opened up.”
Based on today’s zone file data, that means .club moved at least 15,000 names. It will presumably be a somewhat bigger number by the time today’s zones are published at 0100 UTC.
.CLUB CMO Jeff Sass said that pre-registrations at registrars including Go Daddy were responsible for the initial spike.
“We would be in the top 10 based just on those pre-registrations in the first instant,” he said.
While over 50 registrars are signed up to sell .club, the registry is pretty tight with Go Daddy.
The two companies have been conducting joint marketing, some of which involved .CLUB pushing buyers to GoDaddy.club.
“We’ve worked closely on cooperative marketing efforts,” Sass said. “We’ve done a lot of campaigns where the call to action has been to Go Daddy.”
The GA launch, which was briefly webcast live, actually came from Go Daddy’s Arizona headquarters.
While I get the distinct impression that money changed hands in order for Go Daddy to throw its weight behind .club, VP Mike McLaughlin gave some reasons why he likes the gTLD.
“We like to see that the registry is invested,” he said. “That the business plan isn’t just to put it out there and hope for the best.”
Sass said that .CLUB has been marketing to nightclubs, sports clubs, high-end members clubs and others.
McLaughlin said the price point — $14.99 retail, the same as Go Daddy’s .com renewals — and the fact that there are no registration restrictions, were attractive.
.CLUB has reserved over 6,000 premium names. They’re all listed for sale at Sedo, perhaps showing that its relationship with rival auction platform Go Daddy/Afternic is not all that tight.
If you try to register a premium .club via Go Daddy today you’ll be told it’s unavailable.
Sass said that examples of premiums already sold to anchor tenants include shaving.club, which is launching today, as well as beauty.club, makeup.club and skincare.club, which were all sold to Mary Kay Cosmetics and are expected to launch at a later date.
.CLUB has previously predicted that it would beat .guru (currently at 54,616 names) in the first week and that it would sell five million names in the first five years.
The first aspiration seemed, to me, plausible. I’ve had countless arguments about whether the second is too.
“Tens of thousands” of web sites are going dark due to ICANN’s new email verification requirements and registrars are demanding to know how this sacrifice is helping solve crimes.
These claims and demands were made in meetings between registrars and ICANN’s board and management at the ICANN 49 meeting in Singapore last week.
Go Daddy director of policy planning James Bladel and Tucows CEO Elliot Noss questioned the benefit of the 2013 Registrar Accreditation Agreement during a Tuesday session.
The 2013 RAA requires registrars to verify that registrants’ email addresses are accurate. If registrants do not respond to verification emails within 15 days, their domains are turned off.
There have been many news stories and blog posts recounting how legitimate webmasters found their sites gone dark due to an overlooked verification email.
Just looking at my Twitter stream for an “icann” search, I see several complaints about the process every week, made by registrants whose web sites and email accounts have disappeared.
Noss told the ICANN board that the requirement has created a “demonstrable burden” for registrants.
“If you cared to hear operationally you would hear about tens and hundreds of thousands of terrible stories that are happening to legitimate businesses and individuals,” he said.
Noss told DI today that Tucows is currently compiling some statistics to illustrate the scale of the problem, but it’s not yet clear what the company plans to do with the data.
At the Singapore meeting, he asked ICANN to go to the law enforcement agencies that demanded Whois verification in the first place to ask for data showing that the new rules are also doing some good.
“What crime has been forestalled?” he said. “What issues around fraud? We heard about pedophilia regularly from law enforcement. What has any of this done to create benefits in that direction?”
Registrars have a renewed concern about this now because there are moves afoot in other fora, such as the group working on new rules for privacy and proxy services, for even greater Whois verification.
Bladel pointed to an exchange at the ICANN meeting in Durban last July, during which ICANN CEO Fadi Chehade suggested that ICANN would not entertain requests for more Whois verification until law enforcement had demonstrated that the 2013 RAA requirements had had benefits.
The exact Chehade line, from the Durban public forum transcript, was:
law enforcement, before they ask for more, we put them on notice that they need to tell us what was the impact of what we did for them already, which had costs on the implementers.
Quoted back to himself, in Singapore Chehade told Bladel: “It will be done by London.”
Speaking at greater length, director Mike Silber said:
What I cannot do is force law enforcement to give us anything. But I think what we can do is press the point home with law enforcement that if they want more, and if they want greater compliance and if they want greater collaborations, it would be very useful to show the people going through the exercise what benefits law enforcement are receiving from it.
So will law enforcement agencies be able to come up with any hard data by London, just a few months from now?
It seems unlikely to me. The 2013 RAA requirements only came into force in January, so the impact on the overall cleanliness of the various Whois databases is likely to be slim so far.
I also wonder whether law enforcement agencies track the accuracy of Whois in any meaningfully quantitative way. Anecdotes and color may not cut the mustard.
But it does seem likely that the registrars are going to have data to back up their side of the argument — customer service logs, verification email response rates and so forth — by London.
They want the 2013 RAA Whois verification rules rethought and removed from the contract and the ICANN board so far seems fairly responsive to their concerns.
Law enforcement may be about to find itself on the back foot in this long-running debate.