Latest news of the domain name industry

Recent Posts

Data leak security glitch screws up ICANN 61 for thousands

Kevin Murphy, March 15, 2018, Domain Policy

A security vulnerability forced ICANN to take down its Adobe Connect conferencing service halfway through its ICANN 61 meeting in Puerto Rico.

The “potentially serious security issue” could “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”, ICANN said in a pair of statements.

Taking down the service for the remainder of the meeting, which ends today, meant that potentially thousands of remote participants were left to cobble together a less streamlined replacement experience from a combination of live streams, transcription and email.

At the last ICANN meeting, over 4,000 unique participants logged into Adobe Connect. With only 1,900 or so people on-site, we’re probably looking at over 2,000 remote participants relying on AC to take part.

At this point, it’s not clear whether ICANN has discovered a previously undisclosed vulnerability in the Adobe service, or whether it simply buggered up its implementation with sloppy configuration settings.

It’s also not clear whether the glitch has been actively exploited to expose private data, though ICANN said it was first reported by a member of the Security and Stability Advisory Committee.

ICANN said in the second of two statements issued yesterday:

The issue is one that could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room. We are still investigating the root cause of the issue. We have formulated different scenarios based on authentication, encryption, and software versions, which we are testing in a controlled fashion in attempt to replicate and understand the root cause of the issue.

We are working directly with Adobe and with our cloud service provider to learn more.

Adobe Connect is a web conferencing tool that, at least when ICANN uses it for public meetings, combines live video and transcription, PowerPoint presentation sharing, and public and private chat rooms.

I also understand that there’s also a whiteboarding feature that allows participants to collaboratively work on documents in closed sessions.

Given that everything shared in the public sessions (outside of the private chat function) is by definition public, it might be reasonable to assume that ICANN’s primary concern here is how the software is used in closed sessions.

I hear ICANN uses Adobe Connect internally among its own staff and board, where one might imagine private data is sometimes shared. Other relatively secretive groups, such as the Governmental Advisory Committee and Nominating Committee, are also believed to sometimes use it behind closed doors.

While Adobe is infamous for producing buggy, insecure software, and ICANN uses a version of it hosted by a third-party cloud services provider, that doesn’t necessarily mean this wasn’t another ICANN screw-up.

In a similar incident uncovered in 2015, it was discovered that new gTLD applicants could read attachments on the confidential portions of their competitors’ applications, after ICANN accidentally had a single privacy configuration toggle set to “On” instead of “Off” in the hosted Salesforce.com software it was using to manage the program.

Ashwin Rangan, ICANN’s CIO and the guy also tasked with investigating the Salesforce issue, has now started a probe into the Adobe issue.

Next new gTLD round unlikely before 2022

Kevin Murphy, March 13, 2018, Domain Policy

ICANN is unlikely to accept any more new gTLD applications until a full decade has passed since the last round was open.

That’s the conclusion of some ICANN community members working on rules for the next round.

Speaking at ICANN 61 in Puerto Rico this weekend, Jeff Neuman, co-chair of the New gTLD Subsequent Procedures Working group, presented a “best case” timetable for the next round.

The timetable would see the next new gTLD application window opening in the first quarter of 2021, nine years after the 2012 round.

But Neuman acknowledged that the timeline would require all parts of the ICANN community — working groups, GNSO Council, board of directors, staff — to work at their most efficient.

With that in mind, 2021 seems optimistic.

“Even if we hit the 2021 date, that’s still a decade after the launch of the last round, which is crazy,” Neuman said.

Slide

The timetable assumes the GNSO wraps up its policy development a year from now, with the ICANN board approving the policy mid-2019.

It then gives the ICANN staff about six months to publish an updated Applicant Guidebook, and assumes whatever is produced is approved within about six months, after the first pass of public comments.

It’s worth noting that the 2012 round’s AGB hit its first draft in 2008 and went through half a dozen revisions over three years before it was finalized, though one imagines there would be less wheel-reinventing required next time around.

After the board gives the AGB the final nod, the timeline assumes ICANN staff about six months to “operationalize” the program.

But one unidentified ICANN staffer, who said she was “the person that will be ultimately responsible for the implementation” of whatever the GNSO comes up with, said during this weekend’s session that she doubted this was realistic.

She said ICANN the organization would need “at least 12 months” between the ICANN board approving the AGB and the application window opening. That would push the window to late 2021.

The Subsequent Procedures policy work is of course not the only gating factor to the next round.

There’s also a potential bottleneck in work being carried out to review rights protection mechanisms, where fears of filibustering have emerged in an already fractious working group.

All things considered, I wouldn’t place any bets on an application window opening as early as 2021.

Amazon’s .amazon gTLD may not be dead just yet

Kevin Murphy, March 11, 2018, Domain Policy

South American governments are discussing whether to reverse their collective objection to Amazon’s .amazon gTLD bid.

A meeting of the Governmental Advisory Committee at ICANN 61 in Puerto Rico yesterday heard that an analysis of Amazon’s proposal to protect sensitive names if it gets .amazon will be passed to governments for approval no later than mid-April.

Brazil’s GAC rep said that a working group of the Amazon Cooperation Treaty Organization is currently carrying out this analysis.

Amazon has offered the eight ACTO countries commitments including the protection of such as “rainforest.amazon” and actively supporting any future government-endorsed bids for .amazonas.

Its offer was apparently sweetened in some unspecified way recently, judging by Brazil’s comments.

ACTO countries, largely Brazil and Peru, currently object to .amazon on the grounds that it’s a clash with the English version of the name for the massive South American rain forest, river and basin region, known locally as Amazonas.

There’s no way to read the tea leaves on which way the governments will lean on Amazon’s latest proposal, and Peru’s GAC rep warned against reading too much into the fact that it’s being considered by the ACTO countries.

“I would like to stress the fact that we are not negotiating right now,” she told the GAC meeting. “We are simply analyzing a proposal… The word ‘progress’ by no means should be interpreted as favorable opinion towards the proposal, or a negative opinion. We are simply analyzing the proposal.”

ICANN’s board of directors has formally asked the GAC to give it more information about its original objection to .amazon, which basically killed off the application a few years ago, by the end of ICANN 61.

Currently, the GAC seems to be planning to say it has nothing to offer, though it may possibly highlight the existence of the ACTO talks, in its formal advice later this week.

Get drunk on Neustar’s tab and it will donate money to hurricane relief

Kevin Murphy, March 5, 2018, Gossip

Neustar has promised to donate thousands of dollars to a Puerto Rican hurricane relief charity, providng enough people show up to its open bar event in San Juan next week.

It’s fairly standard for domain companies of Neustar’s size to host free after-hours social events during ICANN meetings, but this time the company said it will donate $25 for each attendee to charity.

The beneficiary is the Puerto Rico Resistance Fund, operated by Americas for Conservation and the Arts, which is helping rebuild the island after Hurricane Maria hit it for six last September.

“We want to bring together the community, help spread awareness of the hardship and devastation in Puerto Rico, and make our community proud they are contributing in a small way financially,” Neustar VP Lori Anne Wardi told DI.

With the company telling me it expects 500 guests or more to the invitation-only event, expect a total donation topping $12,500.

The venue is the Antiguo Casino, which appears to be about a 10-minute taxi ride from the Puerto Rico Convention Center, at which the ICANN 61 public meeting is being held.

The event runs from 1900 to 2330 local time.

The official death toll in Puerto Rico from Maria was 64, but a New York Times analysis puts the number at closer to 1,000. Parts of the island, a US territory, are still suffering from infrastructure problems such as power outages.

Whois privacy will soon be free for most domains

Kevin Murphy, March 5, 2018, Domain Policy

Enormous changes are coming to Whois that could mark the end of Whois privacy services this year.

ICANN has proposed a new Whois model that would anonymize the majority of domain name registrants’ personal data by default, only giving access to the data to certain certified entities such as the police.

The model, published on Friday and now open for comment, could change in some of the finer details but is likely being implemented already at many registries and registrars.

Gone will be the days when a Whois lookup reveals the name, email address, physical address and phone number of the domain’s owner.

After the model is implemented, Whois users will instead merely see the registrant’s state/province and country, organization (if they have one) and an anonymized, forwarding email address or web form for contact purposes.

Essentially, most Whois records will look very much like those currently hiding behind paid-for proxy/privacy services.

Technical data such as the registrar (and their abuse contact), registration and expiry dates, status code, name servers and DNSSEC information would still be displayed.

Registrants would have the right to opt in to having their full record displayed in the public Whois.

Anyone wanting to view the full record would have to be certified in advance and have their credentials stored in a centralized clearinghouse operated by or for ICANN.

The Governmental Advisory Committee would have a big hand in deciding who gets to be certified, but it would at first include law enforcement and other governmental agencies.

This would likely be expanded in future to include the likes of security professionals and intellectual property lawyers (still no word from ICANN how the legitimate interests of the media or domain investors will be addressed) but there could be a window in which these groups are hamstrung by a lack of access to thick records.

The proposed model is ICANN’s attempt to bring Whois policy, which is enforced in its contracts with registries and registrars, into line with GDPR, the European Union’s General Data Protection Regulation, which kicks in fully in May.

The model would apply to all gTLD domains where there is some connection to the European Economic Area.

If the registrar, registry, registrant or a third party processor such as an escrow agent is based in the EEA, they will have to comply with the new Whois model.

Depending on how registrars implement the model in practice (they have the option to apply it to all domains everywhere) this means that the majority of the world’s 188 million gTLD domains will probably be affected.

While GDPR applies to only personal data about actual people (as opposed to legal persons such as companies), the ICANN model makes no such distinction. Even domains owned by legal entities would have their records anonymized.

The rationale for this lack of nuance is that even domains owned by companies may contain personal information — about employees, presumably — in their Whois records.

Domains in ccTLDs with EEA connections will not be bound to the ICANN model, but will rather have to adopt it voluntarily or come up with their own ways to become GDPR compliant.

The two largest European ccTLDs — .uk and Germany’s .de, which between them account for something like 28 million domains — last week separately outlined their plans.

Nominet said that from May 25 it will no longer publish the name or contact information of .uk registrants in public Whois without their explicit consent. DENIC said something similar too.

Here’s a table of what would be shown in public Whois, should the proposed ICANN model be implemented.

Domain NameDisplay
Registry Domain IDDisplay
Registrar WHOIS ServerDisplay
Registrar URLDisplay
Updated DateDisplay
Creation DateDisplay
Registry Expiry DataDisplay
Registrar Registration Expiration DateDisplay
RegistrarDisplay
Registrar IANA IDDisplay
Registrar Abuse Contact EmailDisplay
Registrar Abuse Contact PhoneDisplay
ResellerDisplay
Domain StatusDisplay
Domain StatusDisplay
Domain StatusDisplay
Registry Registrant IDDo not display
Registrant NameDo not display
Registrant OrganizationDisplay
Registrant StreetDo not display
Registrant CityDo not display
Registrant State/ProvinceDisplay
Registrant Postal CodeDo not display
Registrant CountryDisplay
Registrant PhoneDo not display
Registrant Phone ExtDo not display
Registrant FaxDo not display
Registrant Fax ExtDo not display
Registrant EmailAnonymized email or web form
Registry Admin IDDo not display
Admin NameDo not display
Admin OrganizationDo not display
Admin StreetDo not display
Admin CityDo not display
Admin State/ProvinceDo not display
Admin Postal CodeDo not display
Admin CountryDo not display
Admin PhoneDo not display
Admin Phone ExtDo not display
Admin FaxDo not display
Admin Fax ExtDo not display
Admin EmailAnonymized email or web form
Registry Tech IDDo not display
Tech NameDo not display
Tech OrganizationDo not display
Tech StreetDo not display
Tech CityDo not display
Tech State/ProvinceDo not display
Tech Postal CodeDo not display
Tech CountryDo not display
Tech PhoneDo not display
Tech Phone ExtDo not display
Tech FaxDo not display
Tech Fax ExtDo not display
Tech EmailAnonymized email or web form
Name ServerDisplay
Name ServerDisplay
DNSSECDisplay
DNSSECDisplay
URL of ICANN Whois Inaccuracy Complaint FormDisplay
>>> Last update of WHOIS databaseDisplay

The proposal is open for comment, with ICANN CEO Goran Marby requesting emailed input before the ICANN 61 public meeting kicks off in Puerto Rico this weekend.

With just a couple of months left before the law, with its huge fines, kicks in, expect GDPR to be THE hot topic at this meeting.

  • Page 1 of 2
  • 1
  • 2
  • >