Latest news of the domain name industry

Recent Posts

Court rules domain name list should stay secret

Publishing a list of every domain name in their zone is something that most TLD registries do automatically on a daily basis, but a court in Chile has ruled that doing so is a cybersecurity risk.

NIC Chile, which runs .cl, said last week that it has won an appeal against a Transparency Council ruling that would have forced it to publish a list of the domains it manages.

The Court of Appeals ruled that the registry was within its rights to refuse to hand over an Excel spreadsheet listing the 575,430 domains in .cl to the person who requested it.

The request was just for the list of domains, with none of the other data you’d find in a zone file and no Whois information about the registrants.

Nevertheless, the court unanimously ruled that to hand over the list would present “cybersecurity risks”, according to NIC Chile attorney Margarita Valdés Cortés.

NIC Chile said in a statement:

In this particular case, it was considered that the bulk delivery of domain names to a private individual could generate risks of cybersecurity of various kinds, both in access to information as a result of those domain names as well as the possibility that, by having such a list, attacks on servers, phishing, spam or others could be made easier. Similarly, the ruling of the Court of Appeals understood that the delivery of the data affects commercial and economic rights of the holders of these .CL domains, and considered that there is a legal cause that justifies NIC Chile´s refusal to turn over the list of all registered names.

Cortés said that the case will now go to the nation’s Supreme Court for a final decision, after the Transparency Council appealed.

Access to zone files is considered by many security researchers to be an invaluable tool in the fight against cybercrime.

NIC Chile has published the ruling, in Spanish, here (pdf).

Governments demand Whois reopened within a year

Kevin Murphy, April 29, 2019, Domain Policy

ICANN’s government advisers wants cops, trademark owners and others to get access to private Whois data in under a year from now.

The Governmental Advisory Committee wants to see “considerable and demonstrable progress, if not completion” of the so-called “unified access model” for Whois by ICANN66 in Montreal, a meeting due to kick off November 4 this year.

The demand came in a letter (pdf) last week from GAC chair Manal Ismail to her ICANN board counterpart Cherine Chalaby.

She wrote that the GAC wants “phase 2” of the ongoing Expedited Policy Development Process on Whois not only concluded but also implemented “within 12 months or less” of now.

It’s a more specific version of the generic “hurry up” advice delivered formally in last month’s Kobe GAC communique.

It strikes me as a ludicrously ambitious deadline.

Phase 2 of the EPDP’s work involves deciding what “legitimate interests” should be able to request access to unredacted private Whois data, and how such requests should be handled.

The GAC believes “legitimate interests include civil, administrative and criminal law enforcement, cybersecurity, consumer protection and IP rights protection”.

IP interests including Facebook want to be able to vacuum up as much data as they want more or less on demand, but they face resistance from privacy advocates in the non-commercial sector (which want to make access as restrictive as possible) and to a lesser extent registries and registrars (which want something as cheap and easy as possible to implement and operate that does not open them up to legal liability).

Ismail’s letter suggests that work could be sped up by starting the implementation of stuff the EPDP group agrees to as it agrees to it, rather than waiting for its full workload to be complete.

Given the likelihood that there will be a great many dependencies between the various recommendations the group will come up with, this suggestion also comes across as ambitious.

The EPDP group is currently in a bit of a lull, following the delivery of its phase 1 report to ICANN, which is expected to approve its recommendations next month.

Since the phase 1 work finished in late February, there’s been a change of leadership of the group, and bunch of its volunteer members have been swapped out.

Volunteers have also complained about burnout, and there’s been some pressure for the pace of work — which included four to five hours of teleconferences per week for six months — to be scaled back for the second phase.

The group’s leadership has discussed 12 to 18 months as a “realistic and desirable” timeframe for it to reach its Initial Report stage on the phase 2 work.

For comparison, it published its Initial Report for phase 1 after only six stressful months on the job, and not only have its recommendations not been implemented, they’ve not even been approved by ICANN’s board of directors yet. That’s expected to happen this Friday, at the board’s retreat in Istanbul.

With this previous experience in mind, the chances of the GAC getting a unified Whois access service implemented within a year seem very remote.

ICANN got hacked by crypto bots

Kevin Murphy, April 16, 2019, Domain Tech

ICANN had to take down its community wiki for several hours last week after it got hacked by crypto-currency miners.

The bad guys got in via one of two “critical” vulnerabilities in Confluence, the wiki software that ICANN licences from Atlassian Systems, which ICANN had not yet patched.

ICANN’s techies noticed the wiki, which is used by many of its policy-making bodies to coordinate their work, was running slowly April 11.

They quickly discovered that Atlassian had issued a vulnerability warning on March 20, but ICANN was not on its mailing list (doh!) so hadn’t been directly notified.

They also determined that a malicious “Crypto-Miner” — software that uses spare CPU cycles to attempt to create new cryptocurrency coins — had been installed and was responsible for the poor performance.

ICANN said it took the wiki down, restored it to a recent backup, patched Confluence, and brought the system back online. It seems to have taken a matter of hours from discovery to resolution.

The organization said it has now subscribed to Atlassian’s mailing list, so it will be notified of future vulnerabilities directly.

KSK vote was NOT unanimous

Kevin Murphy, September 18, 2018, Domain Policy

ICANN’s board of directors on Sunday voted to approve the forthcoming security key change at the DNS root, but there was some dissent.

Director Avri Doria, a Nominating Committee appointee, said today that she provided the lone vote against the DNSSEC KSK rollover, which is expected to cause temporary internet access problems for potentially a couple million people next month.

I understand there was also a single abstention to Sunday’s vote.

Doria has released a dissenting statement, in which she said the absence of an external, peer-reviewed study of the risks could prove a problem.

The greatest risk is that out of the millions that will fail after the roll over, some that are serious and may even be critical, may occur; if this happens the lack of peer reviewed studies may be a liability for ICANN, perhaps not legal, but in terms of our reputation as protectors of the stability & security of internet system of names.

She added that she was concerned about the extent that the public has been notified of the rollover plan, and questioned whether the current risk mitigation plan is sufficient.

Doria said she found comments filed by Verisign (pdf) particularly informative to her eventual vote, as well as comments from the At-Large Advisory Committee (pdf), Business Constituency (pdf) and Registries Stakeholder Group (pdf).

These groups had called for more study and data, better outreach, more clearly defined success/failure benchmarks, and more delay.

Doria noted in her dissenting statement that the ICANN board did not have a chance to quiz any of the minority of the members of the Security and Stability Advisory Committee who had called for further delay.

The board’s resolution, apparently arrived at after two hours of formal in-person discussions in Brussels at the weekend, is expected to be published shortly.

The rollover, which has already been delayed a year, is now scheduled to go ahead October 11.

Any impact is expected to be felt within a couple of days, as the change ripples out across the DNS.

ICANN says that any network operator impacted by the change has a simple fix: turn off DNSSEC. Then, if they want, they can update their keys and turn it back on again.

Empty Whois a threat to the US elections?

Kevin Murphy, September 5, 2018, Domain Policy

Could a lack of Whois records thwart the fight against attempts to interfere in this year’s US elections?

That’s the threat raised by DomainTools CEO Tim Chen in a blog post, and others, this week.

Chen points to recent research by Facebook, based on an investigation by security company FireEye, that linked a large network of bogus news sites and social media accounts to the Iranian state media.

FireEye’s investigation used “historical Whois records”, presumably provided by DomainTools, to connect the dots between various domains and registrants associated with “Liberty Front Press”, a purportedly independent media organization and prolific social media user.

Facebook subsequently found that 652 accounts, pages and groups associated with the network, and removed them from its platform.

The accounts and sites in question were several years old but had been focusing primarily on politics in the UK and US since last year, Facebook said.

Based on screenshots shared by Facebook, the accounts had been used to spread political messages bashing US president Donald Trump and supporting the UK’s staunchly pro-Palestinian opposition leader Jeremy Corbyn.

Google’s research, also inspired by FireEye’s findings and Whois data, linked the network to the state-run Islamic Republic of Iran Broadcasting.

The actions by Google and Facebook come as part of their crackdown on fake news ahead of the US mid-term Congressional elections, this November, which are are largely being seen as a referendum on the Trump presidency.

Because the domains in question predate the General Data Protection Regulation and ICANN’s response to it, DomainTools was able to capture Whois records before they went dark in May.

While the records often use bogus data, registrant email addresses common to multiple domains could be used to establish common ownership.

Historical Whois data for domains registered after May 2018 is not available, which will likely degrade the utility of DomainTools’ service over time.

Chen concluded his blog post, which appeared to be written partly in response to data suggesting that GDPR has not led to a growth in spam, with this:

Domain name Whois data isn’t going to solve the world’s cyberattack problems all on its own, but these investigations, centering on an issue of global importance that threatens our very democracy, likely get severely impaired without it. And this is just the tip of the iceberg, a few uniquely important investigations among the hundreds of thousands of cyberattacks going on all day every day all over the globe by people and organizations that can now hide behind the anonymity inherent in today’s internet. It’s reasonable that domain names used for certain commercial or functional purposes should require transparent registration information. Whois is not a crime.

DomainTools is one of the founders of the new Coalition for a Secure and Transparent Internet, a lobby group devoted to encouraging legislatures to keep Whois open.

Representatives of Facebook and Iran’s government are among the members of the Expedited Policy Development Process on Whois, an emergency ICANN working group that is currently trying to write a permanent GDPR-compliant Whois policy for ICANN.

Whois privacy did NOT increase spam volumes

Kevin Murphy, August 31, 2018, Domain Tech

The advent of more-or-less blanket Whois privacy has not immediately led to the feared uptick in spam, according to researchers.

Data from Cisco’s Talos email data service, first highlighted by security company Recorded Future this week, shows spam levels have been basically flat to slightly down since ICANN’s GDPR-inspired new Whois policy came into effect May 25.

Public Talos data shows that on May 1 this year there were 433.9 billion average daily emails and 370.04 billion spams — 85.28% spam.

This was down to 361.83 billion emails and 308.05 billion spams by August 1, an 85.14% spam ratio, according to Recorded Future.

So, basically no change, and certainly not the kind of rocketing skyward of spam levels that some had feared.

Cisco compiles its data from customers of its various security products and services.

Looking at Talos’ 18-month view, it appears that spam volume has been on the decline since February, when the ratio of spam to ham was pretty much identical to post-GDPR levels.

It also shows a similar seasonal decline during the northern hemisphere’s summer 2017.

Talos graph

There had been a fear in some quarters that blanket Whois privacy would embolden spammers to register more domains and launch more ambitious spam campaigns, and that the lack of public data would thwart efforts to root out the spammers themselves.

While that may well transpire in future, the data seems to show that GDPR has not yet had a measurable impact on spam volume at all.

Microsoft seizes “Russian election hacking” domains

Kevin Murphy, August 21, 2018, Domain Policy

Microsoft has taken control of six domains associated with a hacker group believed to be a part of Russian military intelligence, according to the company.

Company president Brad Smith blogged yesterday that Microsoft obtained a court order allowing it to seize the names, which it believes were to be used to attack institutions including the US Senate.

The domains in question look like they could be used in spear-phishing attacks. The are: my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com.

Historical Whois records archived by DomainTools show they were registered last year behind WhoisGuard, the Panama-based privacy service. Now, of course, the Whois records are all redacted due to GDPR.

Smith said that Microsoft believes intended targets besides the Senate also include the International Republican Institute and the Hudson Institute, two conservative think-tanks.

The company believes, though it did not show evidence, that the domains were created by the group it calls “Strontium”.

Strontium is also known as “Fancy Bear”, among other names. It’s believed to be backed by the GRU, Russia’s intelligence agency.

It’s the same group alleged members of which Special Counsel Robert Mueller recently indicted as part of his investigation into Russian meddling in the 2016 US presidential election.

“We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” Smith said in his blog post.

He added that Microsoft does not know whether the domains have been used in an attack yet.

Is the new Whois policy group already doomed to fail?

Kevin Murphy, July 24, 2018, Domain Policy

ICANN’s Generic Names Supporting Organization has set itself extremely aggressive, some might say impossible, targets for its emergency Whois policy work.

The GNSO Council on Thursday approved the charter for a new working group that will attempt to come up with a consensus policy for how to amend the Whois system in light of the EU’s General Data Protection Regulation.

But the vote was not unanimous — three of the six Non-Commercial Stakeholder Group councilors abstained largely because they think intellectual property interests have managed to capture the discussion before it has begun.

The three abstentions were independent consultant Ayden Ferdeline, cybersecurity policy researcher Tatiana Tropina, and privacy consultant Stephanie Perrin.

Tropina said during the Thursday meeting: “I cannot vote ‘yes’ for a document that in my opinion has parts that are not properly worded and, instead of setting the scope of the EPDP [Expedited Policy Development Process] work, set up multiple possibilities to get the work sidetracked.”

She and Ferdeline pointed specifically to section J of the approved charter (pdf), which addresses “reasonable access” to non-public Whois data.

This is the part of the policy work that will decide whether, and to what extent, entities such as trademark owners and cybersecurity researchers will be able to peek behind the curtain of post-GDPR personal data redactions and see who actually owns domain names.

There are several “gating” questions that the working group must answer before it gets to J, however, such as: what data should be collected by registrars, how data transfer to registries should be handled, and are the reasons for this data to be collected all valid?

But when it comes to section J, the abstaining NCSG councilors reckon that the Intellectual Property Community has managed to sneak in the notion that its members should get access to private data as a fait accompli. Section J reads in part:

What framework(s) for disclosure could be used to address (i) issues involving abuse of domain name registrations, including but not limited to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection, (ii) addressing appropriate law enforcement needs, and (iii) provide access to registration data based on legitimate interests not outweighed by the fundamental rights of relevant data subjects?

Ferdeline said in his abstention:

I believe that Section J includes, first and foremost, questions that unnecessarily expand the scope of this EPDP and put perceived answers — rather than genuine, open ended questions — into this important document. Overall I think this section of the charter’s scope is unnecessary and will not allow the EPDP team to complete their work in a timely manner.

Tropina said J “poses the questions that, first of all, imply by default that issues related to intellectual property protection and consumer protection require the disclosure of personal data”, adding that she was bewildered that IP interests had been lumped in with security concerns:

This wording fails me: as I am criminal lawyer working in the field of frameworks for cybercrime investigation, I do not see why cybercrime investigations are separated from law enforcement needs and go to the same basket with intellectual property protection as they are on a completely different level of legitimate demands

In short, the newly approved EPDP charter has been framed in such a way as to make discussions extremely fractious from the outset, pitting privacy interests against those of the trademark lobby on some of the most divisive wedge issues.

This is problematic given that the working group has an extremely aggressive schedule — its members have not yet even been named and yet it expects to produce its Initial Report shortly after ICANN 63, which ends October 25 this year.

It’s an absurdly short space of time to resolve questions that have dogged ICANN for almost two decades.

Will this pressure to come to agreement against the clock work in favor of the trademark community, or will it doom the policy-making process to deadlock?

Attempting to steer the WG through this minefield will be Kurt Pritz, who was confirmed by the Council as its neutral chair on Thursday, as DI first reported a week ago.

The make-up of the group has also proved contentious.

While it is a GNSO process that would lead to a Consensus Policy binding on all gTLD registries and registrars, the decision has been made to bring in voices from other areas of the community, such as the Country Code Names Supporting Organization, which will not be directly affected by the resulting policy.

There will be 29 members in total, not counting the non-voting chair.

The GNSO gets 18 of these seats at the table, comprising: three registries, three registrars, two IPC members, two ISPs, two Business Constituency members, six NCSG members (which, I imagine would be split between the privacy-focused NCUC and more IP-friendly NPOC).

But also joining the group on an equal footing will be two members of the Root Server System Advisory Committee (I’ve no idea why), two from the Security and Stability Advisory Committee, two from the ccNSO, two from the At-Large Advisory Committee and three from the Governmental Advisory Committee.

The actual individuals filling these seats will be named by their respective constituencies in the next few days, ahead of the first WG meeting July 30.

It has been said that these people could expect to devote north of 30 hours a week (unpaid of course, though any necessary travel will be comp’d) to the discussions.

ICANN found a zero-day hole in Adobe Connect

Kevin Murphy, April 23, 2018, Domain Tech

It’s looking like ICANN may have found a zero-day vulnerability in Adobe Connect, until recently its default collaboration tool.

The organization on Friday announced the results of a “forensic investigation” into the bug, and said it has reported its findings to Adobe, which is now “working on a software fix to address the root cause of the issue”.

If Adobe didn’t know about it, it looks rather like ICANN — or at least the unnamed member of the security advisory committee who found it — has bagged itself a zero-day.

ICANN had previously said that the glitch “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”.

The review found that the only person who exploited the bug was the person who discovered and disclosed it.

AC is used not only in ICANN’s public meetings but also, I understand, in closed sessions of ICANN staff, board and committees, where secret information is most likely to be shared.

After the bug was discovered, ICANN shut off the system and started using alternatives such as WebEx, to a mixed reception.

In the absence of an immediate patch from Adobe, ICANN has been testing workarounds and said it hopes to have two working ones deployed by May 3.

This would allow the tool to come back online in time for its board workshop, GDD Summit and ICANN 62, the organization said.

Data leak security glitch screws up ICANN 61 for thousands

Kevin Murphy, March 15, 2018, Domain Policy

A security vulnerability forced ICANN to take down its Adobe Connect conferencing service halfway through its ICANN 61 meeting in Puerto Rico.

The “potentially serious security issue” could “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”, ICANN said in a pair of statements.

Taking down the service for the remainder of the meeting, which ends today, meant that potentially thousands of remote participants were left to cobble together a less streamlined replacement experience from a combination of live streams, transcription and email.

At the last ICANN meeting, over 4,000 unique participants logged into Adobe Connect. With only 1,900 or so people on-site, we’re probably looking at over 2,000 remote participants relying on AC to take part.

At this point, it’s not clear whether ICANN has discovered a previously undisclosed vulnerability in the Adobe service, or whether it simply buggered up its implementation with sloppy configuration settings.

It’s also not clear whether the glitch has been actively exploited to expose private data, though ICANN said it was first reported by a member of the Security and Stability Advisory Committee.

ICANN said in the second of two statements issued yesterday:

The issue is one that could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room. We are still investigating the root cause of the issue. We have formulated different scenarios based on authentication, encryption, and software versions, which we are testing in a controlled fashion in attempt to replicate and understand the root cause of the issue.

We are working directly with Adobe and with our cloud service provider to learn more.

Adobe Connect is a web conferencing tool that, at least when ICANN uses it for public meetings, combines live video and transcription, PowerPoint presentation sharing, and public and private chat rooms.

I also understand that there’s also a whiteboarding feature that allows participants to collaboratively work on documents in closed sessions.

Given that everything shared in the public sessions (outside of the private chat function) is by definition public, it might be reasonable to assume that ICANN’s primary concern here is how the software is used in closed sessions.

I hear ICANN uses Adobe Connect internally among its own staff and board, where one might imagine private data is sometimes shared. Other relatively secretive groups, such as the Governmental Advisory Committee and Nominating Committee, are also believed to sometimes use it behind closed doors.

While Adobe is infamous for producing buggy, insecure software, and ICANN uses a version of it hosted by a third-party cloud services provider, that doesn’t necessarily mean this wasn’t another ICANN screw-up.

In a similar incident uncovered in 2015, it was discovered that new gTLD applicants could read attachments on the confidential portions of their competitors’ applications, after ICANN accidentally had a single privacy configuration toggle set to “On” instead of “Off” in the hosted Salesforce.com software it was using to manage the program.

Ashwin Rangan, ICANN’s CIO and the guy also tasked with investigating the Salesforce issue, has now started a probe into the Adobe issue.