Latest news of the domain name industry

Recent Posts

ICANN’s new conferencing software has a webcam security bug

Kevin Murphy, July 10, 2019, Domain Tech

ICANN can’t catch a break when it comes to remote participation security, it seems.

Having just recently made the community-wide switch away from Adobe Connect to Zoom, partly for security reasons, now Zoom has been hit by what many consider to be a critical zero-day vulnerability.

Zoom (which, irrelevantly, uses a .us domain) pushed out an emergency patch for the vulnerability yesterday, which would have allowed malicious web sites to automatically turn on visitors’ webcams without their consent.

Only users of the installable Mac client were affected.

According to security researcher Jonathan Leitschuh, who discovered the problem, Zoom’s Mac client was installing a web server on users’ machines in order to bypass an Apple security feature that requires a confirmatory click before the webcam turns on.

This meant a web site owner could trick a user into a Zoom session, with their camera turned on by default, without their knowledge or consent.

If you’re in the habit of keeping your webcam lens uncovered, that’s potentially a big privacy problem, especially if you do most of your remote coverage of ICANN meetings from the toilet.

It appears that Leitschuh, who reported the problem to Zoom three months ago, took issue with what he saw as the company’s ambivalent attitude to fixing it in a timely fashion.

When he finally blogged about it on Monday, after giving Zoom a 90-day “responsible disclosure” period to issue a patch, the problem still hadn’t been fully resolved, he wrote.

But, following media coverage, Zoom’s new patch apparently removes the covert web server completely. This removes the vulnerability but means Apple users will have to click a confirmation button before joining Zoom meetings in future.

Zoom is used now for all of ICANN’s remote participation, from sessions of its public meetings to discussions of its policy-making working groups.

I really like it. It feels a lot less clunky than Adobe, and it’s got some nifty extra features such as the ability to skip around in recordings based on an often-hilarious machine-transcription sidebar, which makes my life much easier.

One of the reasons ICANN made the switch was due to a bug found in Adobe Connect last year that could have been used to steal confidential information from closed meetings.

ICANN actually turned off Adobe Rooms for remote participants halfway through its public meeting in Puerto Rico due to the bug.

The switch to Zoom was hoped to save ICANN $100,000 a year.

ICANN explains how .org pricing decision was made

ICANN has responded to questions about how its decision to lift price caps on .org, along with .biz and .info, was made.

The buck stops with CEO Göran Marby, it seems, according to an ICANN statement, sent to DI last night.

ICANN confirmed that was no formal vote of the board of directors, though there were two “consultations” between staff and board and the board did not object to the staff’s plans.

The removal of price caps on .org — which had been limited to a 10% increase per year — proved controversial.

ICANN approved the changes to Public Interest Registry’s contract despite receiving over opposing messages from 3,200 people and organizations during its open public comment period.

Given that the board of directors had not voted, it was not at all clear how the decision to disregard these comments had been made and by whom.

The Internet Commerce Association, which coordinated much of the response to the comment period, has since written to ICANN to ask for clarity on this and other points.

ICANN’s response to DI may shed a little light.

ICANN staff first briefed the board about the RA changes at its retreat in Los Angeles from January 25 to 28 this year, according to the statement.

That briefing covered the reasons ICANN thinks it is desirable to migrate legacy gTLD Registry Agreements to the 2012-round’s base RA, which has no pricing controls.

The base RA “provides additional safeguards and security and stability requirements compared to legacy agreements” and “creates efficiencies for ICANN org in administration and compliance enforcement”, ICANN said.

Migrating old gTLDs to the standardized new contract complies with ICANN’s bylaws commitment “to introduce and promote competition in the registration of domain names and, where feasible and appropriate, depend upon market mechanisms to promote and sustain a competitive environment in the DNS market”, ICANN said.

They also contain provisions forcing the registry to give advance notice of price changes and to give registrants the chance to lock-in prices for 10 years by renewing during the notice period, the board was told.

After the January briefing, Marby made the call to continue negotiations. The statement says:

After consultation with the Board at the Los Angeles workshop, and with the Board’s support, the CEO decided to continue the plan to complete the renewal negotiations utilizing the Base RA. The Board has delegated the authority to sign contracts to the CEO or his designee.

A second board briefing took place after the public comment periods, at the board’s workshop in Marrakech last month.

The board was presented with ICANN’s staff summary of the public comments (pdf), along with other briefing documents, then Marby made the call to move forward with signing.

Following the discussion with the Board in Marrakech, and consistent with the Board’s support, the CEO made the decision for ICANN org to continue with renewal agreements as proposed, using the Base gTLD Registry Agreement.

Both LA and Marrakech briefings “were closed sessions and are not minuted”, ICANN said.

But it appears that the board of directors, while not voting, had at least two opportunities to object to the new contracts but chose not to stand in staff’s way.

At the root of the decision appears to be ICANN Org’s unswerving, doctrinal mission to make its life easier and stay out of price regulation to the greatest extent possible.

Reasonable people can disagree, I think, on whether this is a worthy goal. I’m on the fence.

But it does beg the question: what’s going to happen to .com?

CEO lost millions on Manhattan apartment deal just days before AlpNames went dark

The CEO of AlpNames lost his $2.1 million deposit on a $10.6 million Manhattan apartment just days before his company went belly-up earlier this year, DI can reveal.

ApartmentsA New York District Court judge in February found in favor of property developer Highline Associates, which had sued Iain Roache for his deposit after he failed to pay the balance of the luxury residence’s purchase price in 2017.

The ruling appears to have been published February 25 this year. By March 7, just 10 days later, ICANN had already started compliance proceedings against AlpNames.

The timing could just be a coincidence. Or it might not.

According to Judge Robert Sweet (in what appears to be one of his final decisions before his death at 96 in March this year), Roache agreed in December 2015 to buy a condo, parking space and storage unit at 520 West 28th St, a then under-development luxury apartment complex designed by award-winning architect Zaha Hadid, in Manhattan’s fashionable Chelsea district.

The purchase price of the one-bedroom apartment was an eye-watering $9.8 million. Another $770,000 for the parking space and storage unit brought the total agreed price to $10,565,000. Roache plunked $2,113,000 of that into escrow as a deposit.

At that time, AlpNames, majority-owned by Roache, was quite a young company.

It was on the cusp of selling its millionth domain, and had got to that milestone in just over a year in business. Earlier in 2015, it had been bragging about how it was second only to GoDaddy in terms of new gTLD domains sold.

Famous Four Media, the new gTLD registry that Roache also led (also no longer a going concern), had already launched 10 of its eventual 16 TLDs. In total, the portfolio had roughly 1.5 million domains under management. It was one of the leaders, volume-wise, of the new gTLD industry.

When the apartment was finally ready to move into, in June 2017, Highline approached Roach to close the deal.

According to the court’s findings, Roache declined to immediately pay and seems to have given the developer the runaround for several months, requesting and receiving multiple extensions to the closing date.

It wasn’t until early 2018 that Highline, apparently determining that it was never going to see the money, terminated the contract and attempted to take ownership of the $2.1 million deposit.

But Roache’s lawyers instructed the escrow agent not to release the funds without a court order. Obligingly, Highline sued in February 2018.

During the case, Roache argued among other things that he had been verbally duped into signing the purchase agreement, but the judge wasn’t buying it.

He noted that Roache is a “sophisticated businessman” who had hired an experienced New York real estate lawyer to advise him on the purchase.

He also noted that the contract specifically said that the buyer is buying based on the contents of the agreement and specifically not any prior verbal representations (nice clause for all those bullshit-happy real estate agents out there, I reckon).

The judge finally decided that Highline, and not Roache, was rightfully owed the $2.1 million deposit.

It wasn’t long after the ruling that AlpNames customers started experiencing issues.

I first reported that the web site was offline, and had been offline for at least a few days, on March 12 this year. A NamePros thread first mentioned the downtime March 10.

It later emerged (pdf) that ICANN had already started calling AlpNames on March 7, after receiving complaints from AlpNames’ customers that the site was down.

On March 15, after receiving no response from Roache, ICANN made the decision to immediately terminate its Registrar Accreditation Agreement.

A couple of weeks later, CentralNic took over AlpNames’ customer base and around 600,000 domain names, under ICANN’s De-Accredited Registrar Transition Procedure.

That’s the timeline of events.

Am I saying that there was a causal link between Roache’s real estate deal going south and AlpNames going AWOL within a couple of weeks? Nope. I don’t have any evidence for that.

Am I saying it’s possible? Yup. The timing sure does look fishy, doesn’t it?

Net 4 India gets brief reprieve from ICANN suspension

India registrar Net 4 India has been given a bit of breathing space by ICANN, following its suspension last month.

ICANN suspended the registrar’s accreditation a month ago, effective June 21, after discovering the company had been in insolvency proceedings for some time.

But on June 20 ICANN updated its suspension notice to give Net4 more time to comply. It now has until September 4, the same day its insolvency case is expected to end, to provide ICANN with documentation showing it is still a going concern.

The registrar was sued by a debt collector that had acquired some Rs 1.94 billion ($28 million) of unpaid debts from an Indian bank.

ICANN’s updated suspension notice adds that Net4 is to provide monthly status updates, starting July 18, if it wants to keep its accreditation.

The upshot of all this is that the registrar can carry on selling gTLD domains and accepting inbound transfers for at least another couple months.

Charities “could move to .ngo” if .org prices rise

File this one under “wrong-headed argument of the day”.

The head of policy at the Charities Aid Foundation reportedly has said that the recent removal of price increase caps at .org could lead to charities moving to other TLDs, “like .ngo”, which would cause confusion among charitable givers.

Rhodri Davies told The Telegraph (registration required) newspaper:

One of the benefits at the moment is you have at least at least one very well known and globally recognised domain name, that indicates to people that what they’re looking at is likely to be a charity or a social purpose organisation. If in the future, the pricing changes, and suddenly organisations have all sorts of different domain names, it’s going to be much harder for the public to know what it is they’re looking at. And that will get confusing and will probably have a negative impact on on people’s trust

The Telegraph gave .ngo (for non-governmental organization) as an example of a TLD they could move to. It’s not clear whether that was the example Davies gave or something the reporter came up with.

While Davies’ argument is of course sound — if charities were forced en masse to leave .org due to oppressive pricing, it would almost certainly lead to new opportunities for fraud — the choice of .ngo as an alternative destination is a weird one.

.ngo, like .org, is run by Public Interest Registry. It also runs .ong, which means the same thing in other languages.

But as 2012-round new gTLDs, neither .ngo or .ong have ever been subject to any pricing controls whatsoever.

At $30 a year, PIR’s wholesale price for .ngo is already a little more than three times higher than what it charges for .org domains. I find it difficult to imagine that .org will be the more expensive option any time soon.

.org domains currently cost $9.93 per year, and PIR has said it has no current plans to increase prices.

PIR does not have a monopoly on charity-related TLDs. Donuts runs .charity itself, which is believed to wholesale for $20 a year. It’s quite a new TLD, on the market for about a year, and has around 1,500 domains under management compared to .org’s 10 million.

Of course, .charity doesn’t have price caps either.

In the gTLD world, the only major TLDs left with ICANN-imposed price restrictions are Verisign’s .com and .net.