Latest news of the domain name industry

Recent Posts

Hackers break .mobi after Whois domain expires

Kevin Murphy, September 12, 2024, Domain Registries

It’s probably a bad idea to let a critical infrastructure domain expire, even if you don’t use it any more, as Identity Digital seems to be discovering this week.

White-hat hackers at WatchTowr today published research showing how they managed to undermine SSL security in the entire .mobi TLD, by registering an expired domain previously used as the registry’s Whois server.

Identity Digital, which now runs .mobi after a series of acquisitions, originally used whois.dotmobiregistry.net for its Whois server, but this later changed to whois.nic.mobi and the original domain expired last December.

WatchTowr spotted this, registered the name, and set up a Whois server there, which went on to receive 2.5 million queries from 135,000 systems in less than a week.

Sources of the queries included security tools such as VirusTotal and URLSCAN, which apparently hadn’t updated the hard-coded Whois URL list in their software, the researchers said.

GoDaddy and Domain.com were among the registrars whose Whois tools were sending queries to the outdated URL, WatchTowr found.

Incredibly, so was Name.com, which is owned by Identity Digital, the actual .mobi registry.

More worryingly, it seems some Certificate Authorities, responsible for issuing the digital certificates that make SSL work, were also using the old Whois address to verify domain ownership.

WatchTowr says it was possible to obtain a cert for microsoft.mobi by providing its own email address in a phony Whois record served up by its bogus Whois server.

“Effectively, we had inadvertently undermined the CA process for the entire .mobi TLD,” the researchers wrote.

They said they would have also been able to send malicious code payloads to vulnerable Whois clients.

While WatchTowr’s research doesn’t mention ICANN, it might be worth noting that the change from whois.dotmobiregistry.net to whois.nic.mobi is very probably a result of .mobi’s transition to a standardized gTLD registry contract, which requires all registries to use the whois.nic.[TLD] format for their Whois servers.

As a pre-2012 gTLD, .mobi did not have this requirement until it signed a new Registry Agreement in 2017. There are still some legacy gTLDs, such as .post, that have not migrated to the new standard URL format.

The WatchTowr research, with a plentiful side order of cockiness, can be read in full here.

Newly launched .zip already looks dodgy

A trawl through the latest zone file for Google’s newly launched .zip gTLD reveals that it is likely to be used in malware and phishing attacks.

.zip is of course also a filename extension used by the ZIP archive format, often used to compress and email multiple files at once, and many domains registered in the .zip gTLD in the last few days seem ready to capitalize on that potential for confusion.

I counted 3,286 domains in the May 14 zone file, and a great many of them appear to relate to email attachments, financial documents, software updates and employment information.

I found 133 instances of the word “update”, with sub-strings such as “attach”, “statement”, “download” and “install” also quite common.

Some domains are named after US tax and SEC forms, and some appear to be targeting employees at their first day of work.

I don’t know the intent of any of these registrants, of course. It’s perfectly possible some of their domains could be put to benign use or have been registered defensively by those with security concerns. But my gut says at least some of these names are dodgy.

Google went into general availability with eight new TLDs last Wednesday, and as of yesterday .zip was the only one to rack up more than a thousand names in its zone file.

The others were .dad (913 domains), .prof (264), .phd (605), .mov (463), .esq (979), .foo (665) and .nexus (330).

Dynadot takes down its own web site after apparent breach

Dynadot took the drastic move of turning off its own web site last week after noticing an apparent security breach.

The registrar also reset all of its customers’ passwords, acknowledging the pair of moves were “extremely inconvenient”.

It’s not clear from the company’s statement whether there really had been an attack or whether it overreacted

It said “our system noticed irregular activity” but later brought its site back up after staff “investigated and determined there was not a threat”.

The company said it has engaged “cyber security experts” to help it out in future.

DNS Abuse Institute names free tool NetBeacon, promises launch soon

Kevin Murphy, April 5, 2022, Domain Services

NetBeacon has been picked as the name for the DNS Abuse Institute’s forthcoming free abuse-reporting tool.

The tool is expected to launch in early June, after software was donated by CleanDNS accelerated the development cycle, according to Institute director Graeme Bunton.

The system was previously using the working title CART, for Centralized Abuse Reporting Tool, as I blogged in February.

CleanDNS CEO Jeff Bedser is also on the board of Public Interest Registry, which funds DNSAI. Bunton wrote that PIR approved the use of the CleanDNS software under its conflict of interest policy, with Bedser recusing himself.

NetBeacon is expected to provide a way for authenticated abuse reporters to file complaints in a normalized fashion, potentially streamlining the workflow of registrars that subsequently have to deal with them.

Bunton has said that the service will be free at both ends, funded by non-for-profit PIR.

GoDaddy hack exposed a million customer passwords

Kevin Murphy, November 24, 2021, Domain Registrars

GoDaddy’s systems got hacked recently, exposing up to 1.2 million customer emails and passwords.

The attack started on September 6 and targeted Managed WordPress users, the company’s chief information security officer Demetrius Comes disclosed in a blog post and regulatory filing this week.

The compromised data included email addresses and customer numbers, the original WordPress admin password, the FTP and database user names and passwords, and some SSL private keys.

In cases where the compromised passwords were still in use, the company said it has reset those passwords and informed its customers. The breached SSL certs are being replaced.

GoDaddy discovered the hack November 17 and disclosed it November 22.

It sounds rather like the attack may have been a result of a phishing attack against a GoDaddy employee. The company said the attacker used a “compromised password” to infiltrate its WordPress provisioning system.

Comes wrote in his blog post:

We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection

You may recall that GoDaddy came under fire last December for punking its employees with a fake email promising an end-of-year bonus, which turned out to be an “insensitive” component of an anti-phishing training program.

About 500 staff reportedly failed the test.

XYZ counting standard sales as “premiums” because its fees are so expensive

Kevin Murphy, November 19, 2021, Domain Registries

Portfolio gTLD registry XYZ appears to be counting regular sales of domains in certain TLDs as “premium” wins, because the base reg fee is so high.

The company said in a recent blog post that it sold over 270 “premium” names in October, but it added the following caveat:

Premium XYZ Registry domains refer to premium domains for extensions with standard and premium domains, and XYZ’s premium namespaces such as .Cars, .Storage, .Tickets, .Security, etc.

So if a name in a .com-equivalent priced TLD such as .xyz had been flagged as a premium by the registry and sold for a few thousands bucks, that counts as a premium sale, but any sale at all in .cars, where all domains cost a few thousand bucks regardless of the second-level string, also counts as a premium.

This reporting practice appears to bring in .security, .storage, .protection, .car, .auto, and .theatre, which all retail for four figures as standard. It also includes .tickets, where you won’t get much change out of a grand. It doesn’t include the fourth member of the cars family, .autos, where domains are priced as .com-equivalent.

I’m not sure how I feel about this.

You can’t accuse the registry of being misleading — it’s disclosing what it’s doing pretty prominently mid-post, not even reducing the font size.

And you can’t reasonably argue that a standard $3,000 .cars domain, which renews at $3,000 a year, for example, has less claim to the adjective “premium” than a domain in .hair that has a premium-tier EPP code selling for $3,000 but renewing at $20.

It just feels weird to see the word used in this way for what appears to be the first time.

Whois rule changes that nobody likes get approved anyway

Kevin Murphy, November 3, 2021, Domain Services

ICANN’s Generic Names Supporting Organization Council has approved a handful of changes to Whois policy, despite the fact that pretty much nobody was fully on-board with the proposals and how they were made.

The new recommendations call for a new field in Whois records to flag up whether the registrant is a private individual, whose privacy is protected by law, or a legal entity like a company, which have no privacy rights.

But the field will be optional, with no obligation for registries or registrars to use it in their Whois services, which has angered intellectual property interests, governments and others.

The working group that came up with the recommendations also declined to find that Whois records should come with an anonymized registrant email address as standard. This absence of change was also adopted by the Council, causing more disappointment.

In short, nothing much is happening to Whois records for the foreseeable future as a result of these policy changes.

But the process to arrive at this conclusion has highlighted not just the deep divisions in the ICANN community but also, some argue, deficiencies in the ICANN process itself.

The Expedited Policy Development Process working group that has since 2018 been looking at the interaction between Whois and privacy protection law, primarily the European Union’s General Data Protection Regulation, had been asked two final questions earlier this year, to wrap up its long-running work.

First, should registrars and registries be forced to distinguish between legal and natural persons when deciding what data to publish in Whois?

Second, should there be a registrant-based or registration-based anonymized email published in Whois to help people contact domain owners and/or correlate ownership across records?

The answer on both counts was that it’s up to the registry or registrar to decide.

On legal versus natural, the EPDP decided that ICANN should work with the technical community to create a new field in the Whois standard (RDAP), but that there should be no obligation for the industry to use it.

On anonymized email addresses, the working group recommendations were even hand-wavier — they merely refer the industry to some legal advice on how to implement such a system in a GDPR-compliant way.

While this phase of the EPDP’s work was super-fast by ICANN standards (taking about nine months) and piss-weak with its output, it nevertheless attracted a whole lot of dissent.

While its tasks appeared straightforward to outsiders, it nevertheless appears to have inherited the simmering tensions and entrenched positions of earlier phases and turned out to be one of the most divisive and fractious working groups in the modern ICANN period.

Almost every group involved in the work submitted a minority statement expressing either their displeasure with the outcome, or with the process used to arrive at it, or both. Even some of the largely positive statements reek of sarcasm and resentment.

EPDP chair Keith Drazek went to the extent of saying that the minority statements should be read as part and parcel of the group’s Final Report, saying “some groups felt that the work did not go as far as needed, or did not include sufficient detail, while other groups felt that certain recommendations were not appropriate or necessary”.

This Final Report constitutes a compromise that is the maximum that could be achieved by the group at this time under our currently allocated time and scope, and it should not be read as delivering results that were fully satisfactory to everyone.

The appears to be an understatement.

The Intellectual Property Constituency and Business Constituency were both the angriest, as you might expect. They wanted to be able to get more data on legal persons, and to be able to reverse-engineer domain portfolios using anonymous registrant-baed email addresses, and they won’t be able to do either.

The Governmental Advisory Committee and Security and Stability Advisory Committee both expressed positions in line with the IPC/BC, dismayed that no enforceable contract language will emerge from this process.

Councilor Marie Pattullo of the BC said during the GNSO Council vote last Wednesday that the work “exceeds what is necessary to protect registrant data” and that the EPDP failed to “preserve the WHOIS database to the greatest extent possible”.

The “optional differentiation between legal and natural persons is inadequate”, she said, resulting in “a significant number of records being needlessly redacted or otherwise being made unavailable”. The approved policies contain “no real policy and places no enforceable obligations on contracted parties”, she said.

IPC councilor John McElwaine called the EPDP “unfinished work” because the working group failed to reach a consensus on the legal/natural question. The IPC minority statement had said:

Requiring ICANN to coordinate the technical community in the creation of a data element which contracted parties are free to ignore altogether falls far short of “resolving” the legal vs. natural issue. And failing to require differentiation of personal and non-personal data fails to meet the overarching goal of the EPDP to “preserve the WHOIS database to the greatest extent possible” while complying with privacy law.

But McElwaine conceded that “a minority of IPC members did favor these outputs as being minor, incremental changes that are better than nothing”.

The BC and IPC both voted against the proposals, but that was not enough to kill them. They would have needed support from at least one councilor on the the other side of the GNSO’s Non-Contracted Parties House, the Non-Commercial Stakeholders Group, and that hand was not raised.

While the NCSG voted “aye”, and seemed generally fine with the outcome, it wasn’t happy with the process, and had some stern words for its opponents. It said in its minority statement:

The process for this EPDP has been unnecessarily long and painful, however, and does not reflect an appreciation for ICANN’s responsibility to comply with data protection law but rather the difficulty in getting many stakeholders to embrace the concept of respect for registrants’ rights…

With respect to the precise issues addressed in this report, we have stressed throughout this EPDP, and in a previous PDP on privacy proxy services, that the distinction between legal and natural is not a useful distinction to make, when deciding about the need to protect data in the RDS. It was, as we have reiterated many times, the wrong question to ask, because many workers employed by a legal person or company have privacy rights with respect to the disclosure of their personal information and contact data. The legal person does not have privacy rights, but people do.

While welcoming the result, the Registrars Stakeholder Group had similar concerns about the process, accusing its opponents of trying to impose additional legal risks on contracted parties. Its minority statement says:

it is disappointing that achieving this result was the product of significant struggle. Throughout the work on this Phase, the WG revisited issues repeatedly without adding anything substantially new to the discussion, and discussed topics which were out of scope. Perhaps most importantly, the WG was on many occasions uninterested in or unconcerned with the legal and financial risks that some proposed obligations would create for contracted parties in varying jurisdictions or of differing business models, or the risks to registrants themselves.

The Registries Stakeholder Group drilled down even more on the “out of scope” issue, saying the recommendation to create a new legal vs natural field in Whois went beyond what the working group had been tasked with.

They disagreed with, and indeed challenged, Drazek’s decision that the discussion was in-scope, but reluctantly went ahead and voted on the proposals in Council in order to finally draw a line under the whole issue.

The question of whether the legal vs natural question has been in fact been resolved seems to be an ongoing point of conflict, with the RySG, RrSG and NCSG saying it’s finally time to put the matter to bed and the IPC and BC insisting that consensus has not yet been reached.

The RySG wrote that it is “well past time to consider the issue closed” and that the EPDP had produced a “valuable and acceptable outcome”, adding:

The RySG is concerned that some have suggested this issue is not resolved. This question has been discussed in three separate phases of the EPDP and the result each time has been that Contracted Parties may differentiate but are not required to do so. This clearly demonstrates that this matter has been addressed appropriately and consistently. A perception that this work is somehow unresolved could be detrimental to the ICANN community and seen as undermining the effectiveness of the multistakeholder model.

Conversely, the BC said the report “represents an unfortunate failure of the multistakeholder process” adding that “we believe the record should state that consensus opinion did not and still does not exist”.

The IPC noted “a troubling trend in multistakeholder policy development”, saying in a clear swipe at the contracted parties that “little success is possible when some stakeholders are only willing to act exclusively in their own interests with little regard for compromise in the interest of the greater good.”

So, depending on who you believe, either the multistakeholder process is captured and controlled by intransigent contracted parties, or it’s unduly influenced by those who want to go ultra vires to interfere with the business of selling domains in order to violate registrant privacy.

And in either case the multistakeholder model is at risk — either “agree to disagree” counts as a consensus position, or it’s an invitation for an infinite series of future policy debates.

Business as usual at the GNSO, in other words.

Neustar exec fingered in Trump’s Russian “collusion” probe

Kevin Murphy, October 1, 2021, Domain Registries

A senior former Neustar executive has been outed as a participant in 2016 research that sought to establish nefarious links between then US presidential candidate Donald Trump and the Russian government.

According to a US federal indictment last month, former Neustar senior VP and head of security Rodney Joffe and others used DNS query data collected by the company to help create a “narrative” that Trump’s people had been covertly communicating with Kremlin-connected Alfa Bank.

The indictment claims that they did so despite privately expressing skepticism that the data was conclusive in establishing such ties.

Joffe did this work while under the impression he would be offered a top cybersecurity job in Hilary Clinton’s administration, had she won the 2016 general election, the indictment claims.

Joffe has not been accused of any illegality or wrongdoing — he’s not even named in the indictment — and his lawyer has told the New York Times that the indictment gives an “incomplete and misleading” version of events.

The indictment was returned by a federal grand jury on September 16 against Washington DC lawyer Michael Sussmann, as a result of Special Counsel John Durham’s investigation into the origins of the Trump-Russia “collusion” probe, which ultimately found insufficient evidence of illegality by the former president.

Sussman is charged with lying to the FBI when, in September 2016, he showed up with a bunch of evidence suggesting a connection between Trump and Alfa Bank and claimed to not be working on behalf of any particular client.

In fact, the indictment alleges, he was working on behalf of the Clinton campaign and Joffe, both of whom had retained his services. Lying to the FBI is a crime in the US.

The indictment refers to Joffe as “Technology Executive 1”, but his identity has been confirmed by the NYT and others.

Sussman’s evidence in part comprised DNS data supplied by Joffe and analyzed by himself and other researchers, showing traffic between the domain mail1.trump-email.com and the Russian bank.

At the time, Neustar was a leading provider of domain registry services, but also a significant player in DNS resolution services, giving it access to huge amounts of data about domain queries.

“Tech Executive-1 [Joffe] used his access at multiple organizations to gather and mine public and non-public Internet data regarding Trump and his associates, with the goal of creating a ‘narrative’ regarding the candidate’s ties to Russia,” the indictment claims.

According to the indictment, Joffe had been offered a job in the Clinton administration. He allegedly wrote, shortly after the November 2016 election: “I was tentatively offered the top [cybersecurity] job by the Democrats when it looked like they’d win. I definitely would not take the job under Trump.”

The researchers — which also included employees of the Georgia Institute of Technology, ​Fusion GPS, and Zetalytics, according to the NYT — sought to create a case for a connection between Trump and the Russian government while privately expressing doubts that their conclusions would stand up to third-party scrutiny, the indictment claims.

The suspicions were briefed to the media by Sussman and the Clinton campaign, the indictment says, and widely reported prior to the election.

When the FBI investigated the alleged links, it concluded the suspicious traffic was benign and caused by the activities of a third-party marketing firm, according to reports.

As I said, it is not alleged that Joffe broke the law, and his people say the indictment is, as you might expect from an indictment, one-sided.

Still, it’s a very interesting, and possibly worrying, insight into how companies like Neustar and their employees are able to leverage DNS resolution data for their own private purposes.

The full indictment, which uses pseudonyms for most of the people said to be involved in the research, can be read here (pdf). The New York Times story, which reveals many of these identities, can be read here (paywall).

While Neustar’s registry business was acquired last year by GoDaddy, it appears that Joffe did not make the move and instead stayed with Neustar. His LinkedIn profile showed he “retired” at some point in the last few weeks, after 15 years with the company.

Most registrars fail ICANN abuse audit

Kevin Murphy, August 26, 2021, Domain Registrars

The large majority of accredited registrars failed an abuse-related audit at the first pass, according to ICANN.

(UPDATE October 14, 2021: ICANN disagrees with this characterization.)

The audit of 126 registrars, representing over 90% of all registered gTLD domains, founds that 111 were “not fully compliant with the [Registrar Accreditation Agreement’s] requirements related to the receiving and handling of DNS abuse reports”.

Only 15 companies passed with flying colors, ICANN said.

A further 92 have already put in place changes to address the identified concerns, with 19 more still struggling to come into compliance.

The particular parts of the RAA being audited require registrars to publish an abuse email address that it monitored 24/7 and to take action on well-founded cases of abuse within 24 hours of notification.

The results of the audit, carried out by ICANN Compliance and KPMG, can be found here (pdf).

Will you use SSAD for Whois queries?

Kevin Murphy, July 9, 2021, Domain Policy

ICANN is pinging the community for feedback on proposed Whois reforms that would change how people request access to private registrant data.

The fundamental question is: given everything you know about the proposed System for Standardized Access and Disclosure (SSAD), how likely are you to actually use it?

The SSAD idea was dreamed up by a community working group as the key component of ICANN’s response to privacy laws such as GDPR, and was then approved by the Generic Names Supporting Organization.

But it’s been criticized for not going far enough to grant Whois access to the likes of trademark lawyers, law enforcement and security researchers. Some have called it a glorified ticketing system that will cost far more than the value it provides.

Before the policy is approved by ICANN’s board, it’s going through a new procedure called the ODP, for Operational Design Phase, in which ICANN staff, in coordination with the community, attempt to figure out whether SSAD would be cost-effective, or even implementable.

The questionnaire released today will be an input to the ODP. ICANN says it “will play a critical role in assessing the feasibility and associated risks, costs, and resources required in the potential deployment of SSAD.”

There’s only eight questions, and they mostly relate to the volume of private data requests submitted currently, how often SSAD is expected to be used, and what the barriers to use would be.

ICANN said it’s asking similar questions of registries and registrars directly.

There’s a clear incentive here for the IP and security factions within ICANN to low-ball the amount of usage they reckon SSAD will get, whether that’s their true belief or not, if they want ICANN to strangle the system in its crib.

It’s perhaps noteworthy that the potential user groups the questionnaire identifies do not include domain investors nor the media, both of which have perfectly non-nefarious reasons for wanting greater access to Whois data. This is likely because these communities were not represented on the SSAD working group.

You can find the questionnaire over here. You have until July 22.