Latest news of the domain name industry

Recent Posts

Has .sucks abandoned its Sunrise Premium program?

Vox Populi Registry has done away with the “Sunrise Premium” part of its .sucks launch strategy, if only in name.

The pricing page of the company’s web site no longer makes any reference to Sunrise Premium, the controversial, trademark-heavy list of .sucks domains that would cost over $2,000 a year to register and renew.

Instead, there are two new categories of names: Registry Premium and Market Premium.

Registry Premium appears to be what it was previously just calling “Premium” — individually priced high-value domains such as divorce.sucks and life.sucks. That’s in tune with standard registry practice.

The new Market Premium category appears to be the replacement for Sunrise Premium. The web site describes it like this:

In General Availability, dotSucks has created a list of domains called Market Premium names. These are names that the market over time have designated as having a high value.

Previously, Vox Pop CEO John Berard told DI and other reporters that the Sunrise Premium list had been compiled from names registered or blocked in previous sunrise periods in other TLDs.

It was characterized as an additional protection against cybersquatting, but intellectual property interests saw it as a shakedown.

It’s not obvious from the updated Vox Pop web site whether Market Premium is a ground-up rethink of the Sunrise Premium concept, or is merely an empty re-branding.

The name “Sunrise Premium” was confusing, given that such domains are not actually available during the formal sunrise period. Also, the name inextricably suggested that it was a list of trademarks.

Market Premium names are priced exactly the same as Sunrise Premium — that is, $1,999 at the registry level, with a suggested retail price of $2,499.

Market Premium names will also not be eligible for the discounted “Block” service but will “likely” be eligible for the Consumer Subsidy program. That’s no change from the policies governing the Sunrise Premium incarnation.

The registry web site now also states that purchasers of the Block service, which carries a $149 registry fee, will be able to unblock their domains if they wish to actively use them, but doing so will convert the domain into a $1,999 Market Premium name.

Defensive blocking could therefore have the eventual effect of stuffing the Market Premium list with trademarks anyway (assuming any trademark holders with blocks wish to activate their .sucks names, which seems unlikely).

I’ve put in a request for clarification about Market Premium with the registry and will provide updates when I get them.

Other updates on the .sucks price list include a removal of the $9.95 suggested retail price for Consumer Subsidy names.

Consumer Subsidy names are supposedly going to be run by a third party consumer advocacy group from Everything.sucks, but that group has not been identified by Vox Pop yet.

The fact that the registry seemingly had no deal in place but already knew the price suggested to many that Everything.sucks would just be another shell company managed by Vox Pop owner Momentous. Berard reportedly denied this publicly at the INTA 2015 conference last week.

The Vox Pop web site now states “dotSucks is hopeful that this will bring the individual consumer price below 10 dollars.”

Dot-brand gTLD guilty of domain name hijacking

Kevin Murphy, May 6, 2015, Domain Policy

Fashion retailer Mango, which owns its own dot-brand gTLD, has been found guilty of Reverse Domain Name Hijacking after allegedly doctoring evidence in a .uk cybersquatting case.

The company, which runs .mango, lost a Nominet Dispute Resolution Service complaint against New Zealand-based domain investor Garth Piesse over mango.co.uk and mango.uk.

It’s only the sixth RDNH finding in 13 years of DRS history.

Mango tried to buy the domain using a pseudonym and, when Piesse asked for “six figures”, filed the DRS instead.

Piesse claimed in what appears to have been a well-argued defense that the person attempting to buy the domain on Mango’s behalf did not identify Mango as the would-be buyer.

Further, he claimed that Mango deliberately tried to hide this fact from the DRS panel by scrubbing its negotiator’s email address from evidence it submitted.

While DRS panelist Tim Brown did not agree that this omission alone was enough to find RNDH, he agreed that Mango did not have “entirely clean hands”. He ruled:

The sequence of events in the present case appears to show that the Complainant attempted to buy from the Respondent. When these negotiations failed the Complainant started proceedings under the DRS. As I have noted, the Complainant has relied on bare assertion and has provided a paucity of evidence to support its arguments.

Even a cursory reading of the Policy, Procedure and extensive guidance on Nominet’s website would quickly show that a matter concerning a clearly generic, dictionary term would require a higher standard of argument and evidence than is perhaps common. That the Complainant has failed to come anywhere close to providing sufficient argument or evidence is, in my view, strongly indicative that the Complainant pursued this dispute in frustration at the Respondent’s unwillingness to sell for a price it was willing to pay, rather than because of the merits of its position in terms of the Policy’s requirements.

I conclude that the Complainant brought a speculative complaint in bad faith in an attempt to deprive the Respondent of the Domain Names. I therefore determine that the Complainant has engaged in Reverse Domain Name Hijacking.

Spain-based Mango has owned its trademarks for well over a decade, and Piesse only got his hands on the domains in question in 2013 and 2014.

Piesse, who owns about 18,000 domains, was able to show that Mango the brand is unheard of in New Zealand and that he has a track record of buying fruit-based .uk domain names.

Most ICANN new gTLD breaches were over a year ago

Almost three quarters of the security breaches logged against ICANN’s new gTLD portal occurred over a three-month period in early 2014, DI can reveal.

Almost every incident of a new gTLD applicant coming across data they weren’t supposed to see — 322 of the 330 total — happened before the end of October last year, ICANN told DI.

Most — 244 of the 330 — happened before April 30 last year.

The first breach, discovered by an independent audit of the portal, was January 22 2014.

ICANN says it was first notified of there being a problem on February 27, 2015.

The improper data disclosures were announced by ICANN last week.

As we reported, a simple configuration error by ICANN in third-party software allowed users of the Global Domains Division portal — all new gTLD applicants — to view confidential data belonging to other applicants.

Documents revealed could have included sensitive financial projections and registry technical details.

My first assumption was that the majority of the incidents — which have been deliberate or accidental — were relatively recent, but that turns out not to be the case.

In fact, if anyone did download data they weren’t supposed to see, most of them did it over a year ago.

ICANN has been notifying applicants and registries about whether their own data was compromised and expects to have told each affected applicant which other applicants could have seen their data before May 27.

Ninety-six applicants and 21 registries were affected.

.porn and .adult sunrises net around 8,000 sales

The sunrise periods for .porn and .adult netted just shy of 4,000 domains per TLD, according to ICM Registry.

The company said .porn received 3,995 registrations while .adult trailed slightly with 3,902.

Those numbers are a combination of regular Trademark Clearinghouse sunrise registrations and Sunrise B registrations.

The ICANN-mandated sunrise periods ended April 1 and were followed by unique Sunrise B periods, during which anyone who bought a .xxx block in 2011 could register the matching new gTLD names.

This time, however, Sunrise B domains actually do resolve.

I believe the the Sunrise B phases accounted for something like 1,500 names apiece.

The previous high bar for 2012-round new gTLD sunrises was .london, with just over 800 registrations.

While .porn and .adult may be record breakers for this round, sales were just a twentieth of the levels seen when .xxx launched in 2011 — about 80,000 names were defensively registered back then.

Later this week, ICM will kick off another launch phase — Domain Matching — during which anyone who owned a .xxx domain prior to April 30 can get their matching .porn and .adult names.

General availability is scheduled for June 4.

Dumb ICANN bug revealed secret financial data to new gTLD applicants

Kevin Murphy, April 30, 2015, Domain Registries

Secret financial projections were among 330 pieces of confidential data revealed by an ICANN security bug.

Over the last two years, a total of 19 new gTLD applicants used the bug to access data belonging to 96 applicants and 21 registry operators.

That’s according to ICANN, which released the results of a third-party audit this afternoon.

Ashwin Rangan, ICANN’s new chief information and innovation officer, confirmed to DI this afternoon that the data revealed to unauthorized users included private financial and technical documents that gTLD applicants attached to their applications.

It would have included, for example, documents that dot-brand applicants reluctantly submitted to demonstrate their financial health.

But Rangan said it was not clear whether the glitch had been exploited deliberately or accidentally.

While saying the situation was “very deeply regrettable”, he added that applicant data deemed confidential when it was submitted back in 2012 may not be considered as such today.

The vulnerability was in ICANN’s Global Domains Division Portal, which was taken offline for three days at the end of February and early March after the bug was reported by a user.

Two outside consulting firms were brought in to scan access logs going back to the launch of the new gTLD portal back in April 2013.

What they found was that any user of the portal could access any attachment to any application, whether it belonged to them or a third-party applicant, simply by checking a radio button in the advanced search feature.

It was a misconfiguration by ICANN of the Salesforce.com software used by GDD, rather than a coding error, Rangan said.

“The public/private data sharing setting can be On or Off and here it was set to On,” he said.

On 330 occasions, starting “in earliest part of when the portal first became available” two years ago, these 19 users would have been exposed to data they were not supposed to be able to see.

The audit has been unable to determine whether the users actually downloaded confidential data on those occasions.

What’s confirmed is that only new gTLD applicants were able to use the glitch. No third-party hackers were involved.

The 19 users who, whether they meant to or not, exploited this vulnerability are now going to be sent letters asking them to explain themselves. They’ll also be asked to delete anything they downloaded and to not share it with third parties.

Before May 27, ICANN will also contact those applicants whose secret data was exposed, telling them which rival applicants could have seen it.

Rangan said that there have been almost 600,000 GDD sessions in the last two years, and that only 36 of them revealed data to unauthorized users.

“It’s a small fraction,” he said. “The question is whether they just stumbled across something they were not even aware of… Looking at the log files it is not clear what is the case.”

ICANN seems to be giving the 19 users the benefit of the doubt so far, but still wants them to explain their actions.

As CIO, Rangan was not able to comment on whether the breach exposes ICANN or applicants to any kind of legal liability.

It’s not the first time sensitive applicant data has been exposed. Back in 2012, DI discovered that the home addresses of the directors of applicants had been published, despite promises that they would remain private.

At the time of the original GDD portal misconfiguration, ICANN had noted security expert Jeff “The Dark Tangent” Moss as its chief security officer.

Earlier this week, ICANN’s board of directors authorized expenses of over $500,000 to carry out security audits of ICANN’s code.