It looks like new gTLD applicants are in for more delays after ICANN announced that it will not reopen its TLD Application System tomorrow as planned.
We believe that we have fixed the glitch, and we are testing it to make sure.
ICANN is committed to reopening the application system as soon as we can confirm that the problem has been resolved and we have had proper time for testing.
We also want to inform all applicants, before we reopen, whether they have been affected by the glitch. We are still gathering information so we can do that.
Accordingly, the application system will not reopen tomorrow.
ICANN shut down TAS last Thursday, just 12 hours before the new gTLD application filing deadline, after discovering a persistent bug that allowed some applicants to see the names of files uploaded by other applicants.
It had planned to open TAS again tomorrow and close it on Friday. However, that’s looking increasingly unlikely.
Atallah said that ICANN “will provide an update on the timing of the reopening no later than Friday, 20 April at 23.59 UTC.”
While ICANN said yesterday that it was still targeting April 30 for its Big Reveal event, subject to change, that’s now looking like an ambitious goal.
ICANN plans to inform each new top-level domain applicant whether they were affected by the security vulnerability in its TLD Application System, according to its latest update.
The organization has also confirmed that it is still targeting April 30 for the Big Reveal day, when it publishes (deliberately) the gTLDs being applied for and the names of the applicants.
An intensive review has produced no evidence that any data beyond the file names and user names could be accessed by other users.
We are currently reviewing the data to confirm which applicants were affected. As soon as the data is confirmed, we will inform all applicants whether they were affected.
ICANN staff and outside consultants have been working all weekend to figure out what went wrong, who it affected, and how it can be fixed.
The organization still intends to announce tonight whether it has fixed the problem to the point where it’s happy to reopen TAS to registered users tomorrow. It’s also sticking to is Friday extended submission deadline.
The new gTLD consultancy MyTLD has some ICANN TLD Application System slots going begging.
If for some reason you need to file a gTLD application and you haven’t already registered in TAS, this is what MyTLD says it is now offering:
(i) gTLD application writing and submission (ii) TAS account for the gTLD application (iii) Newly formed company corresponding to the TAS account
The company is marketing it as a bundled service.
MyTLD is most closely associated with the most prominent .music application. It’s run by Music.us owner Constantine Roussos and former ICANN internationalized domain name expert Tina Dam.
The offer is fleshed out a bit more on MyTLD’s blog.
I hear the company was shopping these TAS slots around privately prior to April 12 too, so I don’t think that it is an effort to capitalize on the security-related delays ICANN is currently experiencing.
However, one has to ask why the offer is only being publicized after the original official deadline for new gTLD applications has already passed.
TAS is expected to re-open for business on Tuesday, and close on Friday.
ICANN’s board of directors wants more policy work done on the problem of defensive domain name registrations.
directs staff to provide a briefing paper on the topic of defensive registrations at the second level and requests the GNSO to consider whether additional work on defensive registrations at the second level should be undertaken
That in turn followed the two Congressional hearings in December, lobbied for and won by the Association of National Advertisers and its Coalition for Responsible Internet Domain Oversight.
So this week’s decision is a pretty big win for the intellectual property lobby. It’s managed to keep the issue of stronger second-level trademark protection in new gTLDs alive despite ICANN essentially putting it to bed when it approved the new gTLD program last June.
The GNSO could of course decide that no further work needs to be done, so the champagne corks should probably stay in place for the time being.
At the same meeting on Tuesday, the ICANN board committee voted to disregard the GNSO Council’s recent decision to grand extra protections to the International Olympic Committee, Red Cross and Red Crescent movements. The rationale for this decision has not yet been published.
ICANN has known about the data leakage vulnerability in its TLD Application System since at least last week, according to one new top-level domain applicant.
The applicant, speaking to DI on the condition of anonymity today, said he first noticed another applicant’s files attached to his gTLD application in TAS last Friday, April 6.
“I could infer the applicant/string… based on the name of the file,” said the applicant.
He immediately notified ICANN and was told the bug was being looked at.
ICANN revealed today that TAS has a vulnerability that, in the words of COO Akram Atallah, “allowed a limited number of users to view some other users’ file names and user names in certain scenarios.”
The actual contents of the files are not believed to have been visible.
But other applicants, also not wishing to be identified, today confirmed that they had uploaded files to TAS using file names containing the gTLD strings they were applying for.
It’s not yet known how many TAS users were able to see files belonging to others, or for how long the vulnerability was present on the system.
However, it now does not appear to be something that was accidentally introduced during yesterday’s scheduled TAS maintenance.
This kind of data leakage could prove problematic — and possibly expensive — if it alerted applicants to the existence of competing bids, or caused new competing bids to be created.
ICANN shut down TAS yesterday and does not expect to bring it back online until Tuesday.
The window for filing applications, which had been due to close yesterday, has been extended until 2359 UTC next Friday night.
April 14 Update
ICANN today released a statement that said in part:
we are sifting through the thousands of customer service inquiries received since the opening of the application submission period. This preliminary review has identified a user report on 19 March that appears to be the first report related to this technical issue.
Although we believed the issues identified in the initial and subsequent reports had been addressed, on 12 April we confirmed that there was a continuing unresolved issue and we shut down the system.