Another 105 gTLDs pass IE, another two withdrawals

With only three weeks of scheduled Initial Evaluation results remaining, ICANN has passed another 105 applications.
We’ve also seen another two withdrawals over the last day or so — Monster Worldwide withdrew its dot-brand application for .beknown while Microsoft dropped its bid for .skydrive.
Here are the IE passes, with links as ever to DI PRO.

.xyz .irish .fairwinds .nextdirect .vegas .cookingchannel .baby .group .mopar .seek .mitsubishi .meet .nfl .baseball .art .eurovision .fish .brussels .healthcare .antivirus .team .partners .art .jeep .scholarships .osaka .final .northwesternmutual .pet .hdfcbank .yokohama .boots .rentals .chat .diet .luxe .hyatt .phone .family .merckmsd .weir .duck .kred .site .google .book .accountants .casino .coupons .verisign .bayern .store .pub .you .shop .music .barclays .cricket .now .piaget .community .piperlime .now .circle .app .vip .cancerresearch .lidl .diy .nissan .website .yun .style .moi .app .cleaning .date .taxi .mlb .cruise .stream .catering .dating .dot .theatre .reliance .hotel .black .jlc .construction .vision .shop .shell .cards .bank .azure .tech .dog .security .aigo .nationwide .metlife .vanish .indians

Only 331 applications remain in IE. Another 1,482 have passed.

3 Comments Tagged: ICANN, initial evaluation, new gTLDs, withdrawals

The UK is going nuts about porn and Go Daddy and Nominet are helping

In recent months the unhinged right of the British press has been steadily cajoling the UK government into “doing something about internet porn”, and the government has been responding.
I’ve been itching to write about the sheer level of badly informed claptrap being aired in the media and halls of power, but until recently the story wasn’t really in my beat.
Then, this week, the domain name industry got targeted. To its shame, it responded too.
Go Daddy has started banning certain domains from its registration path and Nominet is launching a policy consultation to determine whether it should ban some strings outright from its .uk registry.
It’s my beat now. I can rant.
For avoidance of doubt, you’re reading an op-ed, written with a whisky glass in one hand and the other being used to periodically wipe flecks of foam from the corner of my mouth.
It also uses terminology DI’s more sensitive readers may not wish to read. Best click away now if that’s you.
The current political flap surrounding internet regulation seems emerged from the confluence of a few high-profile sexually motivated murders and a sudden awareness by the mainstream media — now beyond the point of dipping their toes in the murky social media waters of Twitter — of trolls.
(“Troll” is the term, rightly or wrongly, the mainstream media has co-opted for its headlines. Basically, they’re referring to the kind of obnoxious assholes who relentlessly bully others, sometimes vulnerable individuals and sometimes to the point of suicide, online.)
In May, a guy called Mark Bridger was convicted of abducting and murdering a five-year-old girl called April Jones. It was broadly believed — including by the judge — that the abduction was sexually motivated.
It was widely reported that Bridger had spent the hours leading up to the murder looking at child abuse imagery online.
It was also reported — though far less frequently — that during the same period he had watched a loop of a rape scene from the 2009 cinematic-release horror movie Last House On The Left
He’d recorded the scene on a VHS tape when it was shown on free-to-air British TV last year.
Of the two technologies he used to get his rocks off before committing his appalling crime, which do you think the media zeroed in on: the amusingly obsolete VHS or the golly-it’s-all-so-new-and-confusing internet?
Around about the same time, another consumer of child abuse material named Stuart Hazell was convicted of the murder of 12-year-old Tia Sharp. Again it was believed that the motive was sexual.
While the government had been talking about a porn crackdown since 2011, it wasn’t until last month that the prime minister, David Cameron, sensed the time was right to announce a two-pronged attack.
First, Cameron said he wants to make it harder for people to access child abuse imagery online. A noble objective.
His speech is worth reading in full, as it contains some pretty decent ideas about helping law enforcement catch abusers and producers of abuse material that weren’t well-reported.
But it also contained a call for search engines such as Bing and Google to maintain a black-list of CAM-related search terms. People search for these terms will never get results, but they might get a police warning.
This has been roundly criticized as unworkable and amounting to censorship. If the government’s other initiatives are any guide, it’s likely to produce false positives more often than not.
Second, Cameron said he wants to make internet porn opt-in in the UK. When you sign up for a broadband account, you’ll have to check a box confirming that you want to have access to legal pornography.
This is about “protecting the children” in the other sense — helping to make sure young minds are not corrupted by exposure to complex sexual ideas they’re almost certainly not ready for.
The Open Rights Group has established that the opt-in process will look a little like this:

Notice how there are 10 categories and only one of them is related to pornography? As someone who writes about ICANN on a daily basis, I’m pretty worried about “esoteric materials” being blocked.
As a related part of this move, the government has already arranged with the six largest Wi-Fi hot-spot operators in the country to have porn filters turned on by default.
I haven’t personally tested these networks, but they’re apparently using the kind of lazy keyword filters that are already blocking access to newspaper reports about Cameron’s speech.
Censorship, in the name of “protecting the children” is already happening here in the UK.
Which brings me to Nominet and Go Daddy
Last Sunday, a guy called John Carr wrote a blog post about internet porn in the UK.
I can’t pretend I’ve ever heard of Carr, and he seems to have done a remarkably good job of staying out of Google, but apparently he’s a former board member of the commendable CAM-takedown charity the Internet Watch Foundation and a government adviser on online child safety.
He’d been given a preview of some headline-grabbing research conducted by MetaCert — a web content categorization company best known before now for working with .xxx operator ICM Registry — breaking down internet porn by the countries it is hosted in.
Because the British rank was surprisingly high, the data was widely reported in the British press on Monday. The Daily Mail — a right-wing “quality” tabloid whose bread and butter is bikini shots of D-list teenage celebrities — on Monday quoted Carr as saying:

Nominet should have a policy that websites registered under the national domain name do not contain depraved or disgusting words. People should not be able to register websites that bring disgrace to this country under the national domain name.

Now, assuming you’re a regular DI reader and have more than a passing interest in the domain name industry, you already know how ludicrous a thing to say this is.
Network Solutions, when it had a monopoly on .com domains, had a “seven dirty words” ban for a long time, until growers of shitake mushrooms and Scunthorpe Council pointed out that it was stupid.
You don’t even need to be a domain name aficionado to have been forwarded the hilarious “penisland.net” and “therapistfinder.com” memes — they’re as old as the hills, in internet terms.
Assuming he was not misquoted, a purported long-time expert in internet filtering such as Carr should be profoundly, deeply embarrassed to have made such a pronouncement to a national newspaper.
If he really is a government adviser on matters related to the internet, he’s self-evidently the wrong man for the job.
Nevertheless, other newspapers picked up the quotes and the story and ran with it, and now Ed Vaizey, the UK’s minister for culture, communications and creative industries, is “taking it seriously”.
Vaizey is the minister most directly responsible for pretending to understand the domain name system. As a result, he has quite a bit of pull with Nominet, the .uk registry.
Because Vaizey for some reason believes Carr is to be taken seriously, Nominet, which already has an uncomfortably cozy relationship with the government, has decided to “review our approach to registrations”.
It’s going to launch “an independently-chaired policy review” next month, which will invite contributions from “stakeholders”.
The move is explicitly in response to “concerns” about its open-doors registration policy “raised by an internet safety commentator and subsequently reported in the media.”
Carr’s blog post, in other words.
Nominet — whose staff are not stupid — already knows that what Carr is asking for is pointless and unworkable. It said:

It is important to take into account that the majority of concerns related to illegality online are related to a website’s content – something that is not known at the point of registration of a domain name.

But the company is playing along anyway, allowing a badly informed blogger and a credulous politician to waste its and its community’s time with a policy review that will end in either nothing or censorship.
What makes the claims of Carr and the Sunday Times all the more extraordinary is that the example domain names put forward to prove their points are utterly stupid.
Carr published on his blog a screenshot of Go Daddy’s storefront informing him that the domain rapeher.co.uk is available for registration, and wrote:

www.rapeher.co.uk is a theoretical possibility, as are the other ones shown. However, I checked. Nominet did not dispute that I could have completed the sale and used that domain.
…
Why has it not occurred to Nominet to disallow names of that sort? Nominet needs to institute an urgent review of its naming policies

To be clear, rapeher.co.uk did not exist at the time Carr wrote his blog. He’s complaining about an unregistered domain name.
A look-up reveals that kill-all-jews.co.uk isn’t registered either. Does that mean Nominet has an anti-Semitic registration policy?
As a vegetarian, I’m shocked and appalled to discovered that vegetarians-smell-of-cabbage.co.uk is unregistered too. Something must be done!
Since Carr’s post was published and the Sunday Times and Daily Mail in turn reported its availability, five days ago, nobody has registered rapeher.co.uk, despite the potential traffic the publicity could garner.
Nobody is interested in rapeher.co.uk except John Carr, the Sunday Times and the Daily Mail. Not even a domainer with a skewed moral compass.
And yet Go Daddy has took it upon itself, apparently in response to a call from the Sunday Times, to preemptively ban rapeher.co.uk, telling the newspaper:

We are withdrawing the name while we carry out a review. We have not done this before.

This is what you see if you try to buy rapeher.co.uk today:

Is that all it takes to get a domain name censored from the market-leading registrar? A call from a journalist?
If so, then I demand the immediate “withdrawal” of rapehim.co.uk, which is this morning available for registration.

Does Go Daddy not take male rape seriously? Is Go Daddy institutionally sexist? Is Go Daddy actively encouraging male rape?
These would apparently be legitimate questions, if I was a clueless government adviser or right-leaning tabloid hack under orders to stir the shit in Middle England.
Of the other two domains cited by the Sunday Times — it’s not clear if they were suggested by Carr or MetaCert or neither — one of them isn’t even a .co.uk domain name, it’s the fourth-level subdomain incestrape.neuken.co.uk.
There’s absolutely nothing Nominet, Go Daddy, or anyone else could do, at the point of sale, to stop that domain name being created. They don’t sell fourth-level registrations.
The page itself is a link farm, probably auto-generated, written in Dutch, containing a single 200×150-pixel pornographic image — one picture! — that does not overtly imply either incest or rape.
The links themselves all lead to .com or .nl web sites that, while certainly pornographic, do not appear on cursory review to contain any obviously illegal content.
The other domain cited by the Daily Mail is asian-rape.co.uk. Judging by searches on several Whois services, Google and Archive.org, it’s never been registered. Not ever. Not even after the Mail’s article was published.
It seems that the parasitic Daily Mail really, really doesn’t understand domain names and thought it wouldn’t make a difference if it added a hyphen to the domain that the Sunday Times originally reported, which was asianrape.co.uk.
I can report that asianrape.co.uk is in fact registered, but it’s been parked at Sedo for a long time and contains no pornographic content whatsoever, legal or otherwise.
It’s possible that these are just idiotic examples picked by a clueless reporter, and Carr did allude in his post to the existence of .uk “rape” domains that are registered, so I decided to go looking for them.
First, I undertook a series of “rape”-related Google searches that will probably be enough to get me arrested in a few years’ time, if the people apparently guiding policy right now get their way.
I couldn’t find any porn sites using .uk domain names containing the string “rape” in the first 200 results, no matter how tightly I refined my query.
So I domain-dipped for a while, testing out a couple dozen “rape”-suggestive .co.uk domains conjured up by my own diseased mind. All I found were unregistered names and parked pages.
I Googled up some rape-themed porn sites that use .com addresses — these appear to exist in abundance, though few appear to contain the offending string in the domain itself — and couldn’t find any that have bothered to even defensively register their matching .co.uk.
So I turned to Alexa’s list of the top one million most-popular domains. Parsing that (.csv), I counted 277 containing the string “rape”, only 32 of which (11%) could be loosely said to be using it in the sense of a sexual assault.
Whether those 32 sites contain legal or illegal pornographic content, I couldn’t say. I didn’t check. None of them were .uk addresses anyway.
Most of the non-rapey ones were about grapes.
I’m not going to pretend that my research was scientific, neither am I saying that there are no rape-themed .co.uk porn sites out there, I’m just saying that I tried for a few hours to find one and I couldn’t.
What I did find were dozens of legitimate uses of the string.
So if Nominet bans the word “rape” from domain name registrations under .uk — which is what Carr seems to want to happen — what happens to rapecrisis.org.uk?
Does the Post Office have to give up grapevine.co.uk, which it uses to help prevent crime? Does the eBay tools provider Terapeak have to drop its UK presence? Are “skyscrapers” too phallic now? Is the Donald Draper Fan Club doomed?
And what about the fine fellows at yorkshirerapeseedoil.co.uk or chilterncoldpressedrapeseedoil.co.uk?
If these examples don’t convince you that a policy of preemptive censorship would be damaging and futile, allow me to put the question in terms the Daily Mail might understand: why does Ed Vaizey hate farmers?

24 Comments Tagged: .uk, censorship, ed vaizey, go daddy, john carr, metacert, nominet

Realtors withdraw five gTLD community objections

The US-based National Association of Realtors has withdrawn its Community Objections against five applicants for .realestate and .realty, according to well-placed sources.
The five separate objections, which had been combined into one action under the auspices of the International Chamber of Commerce’s International Centre for Expertise, were withdrawn today.
NAR is a million-member trade association — apparently the largest in the US — comprising real estate agents that agree to pay dues and abide by its code of conduct.
It owns a trademark on REALTORS® and, judging by its objection and web site, is not shy about letting you know it. In the States, only NAR members get to call themselves “realtors”.
It has applied for .realestate via a subsidiary, dotRealEstate LLC, and had objected to applications for .realestate from Donuts, Top Level Domain Holdings and Uniregistry, and applications for .realty from Donuts and smaller portfolio applicant Fegistry.
The objections were combined in May, with the consent of the responding applicants.
NAR argued (pdf) that the applied-for strings are synonymous with its community of members, and that the other applicants’ proposed open-house registration policies would tarnish their reputation.
To win a Community Objection, you have to show among other things that there’s a strong nexus between the string at issue and the “clearly delineated” community you purport to represent.
While the case seems to have been withdrawn before it was decided by the ICC panel, NAR’s rivals were zeroing in on this as a weak spot in its objections.
The Uniregistry response (pdf) is as amusingly brutal as you’d expect from company counsel John Berryhill, using the NAR’s own marketing materials and positions in previous lawsuits against it.
Uniregistry pointed for example to a video on NAR’s web site that says:

We need your help to ensure that the term ‘REALTOR’ continues to mean member of the National Association of Realtors, and not just any real estate agent.

Uniregistry took this as an admission from NAR that the nexus between the universe of “real estate” professionals and the NAR is not as strong as the organization had tried to make out.
In Donuts’ two responses (pdf and pdf) also attacked this angle, arguing

Objector and its members make up only a fraction of that “community”… myriad divergent interests and countless individuals and organizations populate the sphere of “realty” around the world. Objector does not claim to speak on behalf of any of them, but rather only its own membership in the United States.

Now that the objections have been withdrawn, and all the applications are still active, the .realestate and .realty contentions sets are both heading to auction or private settlement.

2 Comments Tagged: donuts, Fegistry, icc, national association of realtors, top level domain holdings, uniregistry

dotShabaka Diary — Day 1

Three weeks ago, dotShabaka Registry became the first of the current crop of new gTLD applicants to sign a registry contract with ICANN, but there’s still a way to go before launch.
The company has offered to provide DI readers, in a series of journal entries, with an insight into its operational experiences and concerns as شبكة. progresses on the path to delegation and launch.
With a Prioritization Draw number of 3, dotShabaka will be often be the first to encounter any pitfalls that emerge in the latter stages of the new gTLD evaluation and delegation process.
DI has agreed to carry the journal, unedited, in the belief that a regular focus on operational matters from a high-prioritization applicant will prove an invaluable resource for applicants and program observers alike.
Here’s the first entry:

Welcome to The شبكة. Journal.
In association with Domain Incite, dotShabaka Registry has launched a journal series to provide regular updates on our progress through delegation and then launch.
The aim will be to offer a transparent insight into the operations of شبكة.. As the first new TLD to sign a Registry Agreement and begin the delegation process, we are throwing the door wide open and will report the good, bad and ugly of our experience via this journal.
You can expect to read reports on our interaction with ICANN, how we handle technical issues and our progress with establishing commercial operations.
For example, we can report that:
شبكة. began pre-delegation testing in the first-available slot on Monday 5th August – nearly three weeks after ICANN’s ‘earliest path’ timetable published in Durban. We are confident of a successful outcome after passing beta testing in July.
Updated RPM Requirements were finally published for comment on 6th August. The good news for شبكة. is the welcomed proposed revisions to support anchor tenants. The bad news is that public comment process is open until 18 September. Another delay!
This lack of certainty has made it impossible for us to finalise launch plans and policies, which is frustrating.
The good news is شبكة. is in the low risk category for New gTLD Collision Risk Management and we don’t expect any impact on the timeline for delegation. Who will be left standing with شبكة. after ICANN’s ‘risk mitigation’ actions for name collisions and GAC Advice are accounted for?
We welcome your feedback and encourage readers to comment below in the Domain Incite comment box. We’ll attempt to address questions the community may have.
Please stay tuned for future updates exclusively via Domain Incite.

One-time disclosure: I’d like to state for the benefit of those who are seemingly always ready to pounce on DI for “selling out” that the journal series are not “sponsored” posts.
There’s no financial relationship whatsoever between DI and dotShabaka or any of its affiliated companies. This is just about the info.

4 Comments Tagged: dotshabaka, dotshabaka diary, ICANN, international domain registry, new gTLDs, شبكة

Another dot-brand gTLD bid withdrawn

Eighty-year-old adhesives company Avery Dennison has withdrawn its application for the .avery new gTLD.
The application was ranked 1,780 in ICANN’s evaluation queue, meaning it was due to receive its Initial Evaluation results shortly. By withdrawing now, the company gets a bigger refund.
According to its application, Avery Dennison makes “cutting-edge pressure-sensitive solutions, self-adhesive and reflective base materials, and innovative consumer and office products”.
A dot-brand with a Key-Systems back-end, .avery was the company’s only new gTLD application.

Comment Tagged: .avery, avery dennison, ICANN, new gTLDs, withdrawals

Trademarks still trump founders in latest TMCH spec

New gTLD applicants and ICANN seem to have failed to reach an agreement on how new registries can roll out founders programs when they launch.
A new draft of the Rights Protection Mechanism Requirements published last night, still appears to make it tricky for new gTLD registries to sell domain names to all-important anchor tenants.
The document (pdf), which tells registries what they must do in order to implement Sunrise and Trademark Claims services, is unchanged in many major respects from the original April draft.
But ICANN has published a separate memo (pdf) comprising a handful of asks made by applicants, which highlight where differences remain. Both are now open for public comment until September 18.
Applicants want text adding to the Requirements document that would allow them to give or sell a small number of domains to third parties — namely: anchor tenants — before and during Sunrise periods.
Their suggested text reads:

As set forth in Specification 5 of the Agreement, Registry Operator MAY activate in the DNS up to one hundred (100) names necessary for the operation and promotion of the TLD. Pursuant to these Requirements, Registry Operator MAY register any or all of such domain names in the TLD prior to or during the Sunrise Period to third parties in connection with a registry launch and promotion program for the TLD (a “Qualified Registry Launch Program”), provided that any such registrations will reduce the number of domain names that Registry Operator MAY otherwise use for the operation and promotion of the TLD as set forth in Specification 5.

The base new gTLD Registry Agreement currently allows up to 100 names to be set aside before Sunrise only on the condition that ownership stays in the hands of the registry for the duration of the registration.
Left unaltered, that could complicate deals where the registry wants to get early registrants through the door to help it promote its gTLD during the critical first few months.
A second request from applicants deals with the problem that Sunrise periods also might interfere with preferred allocation programs during the launch of community and geographic gTLDs.
An example given during the recent ICANN Durban meeting was that of the .london registry giving first dibs on police.london to the Metropolitan Police, rather than a trademark owner such as the Sting-fronted band.
The applicants have proposed to allow registries to request “exemptions” to the Requirements to enable this kind of allocation mechanism, which would be offered in addition to the standard obligatory RPMs.
Because these documents are now open for public comment until September 18, that appears to be the absolute earliest date that any new gTLD registry will be able to give its mandatory 30-day pre-Sunrise warning.
In other words, the hypothetical date of the first new gTLD launch appears to have slipped by a couple of weeks.

Comment Tagged: anchor tenants, founders, ICANN, new gTLDs, sunrise, tmch, trademark claims, trademarks

We have a winner! Del Monte wins .delmonte LRO

No sooner did I predict the new gTLD Legal Rights Objection would not produce any prevailing complainants in this application round, then I’ve been proved wrong.
A three-person WIPO panel yesterday delivered a majority-verdict win for Del Monte, which had filed an LRO against its licensee, .delmonte new gTLD applicant Fresh Del Monte.
It’s a complex case, but the panelists’ thinking appears to be consistent with previously decided LROs.
Del Monte is the original owner of the Del Monte brand, with rights going back to the nineteenth century and registered trademarks all over the world.
Fresh Del Monte has used the Del Monte brand under license from the other company since 1989.
Fresh Del Monte also acquired a South African trademark for “Del Monte” in October 2011, but the panel viewed this with suspicion, wondering aloud whether it had been obtained just to bolster its new gTLD application.
The panel also wondered whether acquiring the mark may have been a breach of the two firms’ longstanding licensing agreement.
The circumstances behind the South African trademark were enough to convince two of the three panelists that there was “something untoward” about Fresh Del Monte’s behavior.
That was a crucial factor in the decision (pdf), with the panel citing earlier LRO precedent to the effect that there must be some kind of bad faith present by the applicant in order for an LRO to succeed.
But the most important factor, according to the decision, was the “likelihood of confusion” element of the LRO. The panelists wrote:

From the crucial perspective of the average consumer, and notwithstanding the somewhat complicated licensing arrangements, the coexistence of the parties’ products in certain territories, and the similarity of the parties’ coexisting food products, the evidence shows that the Trade Mark has continued to function as an indicator of the commercial origin of the Objector and its goods (whether the Objector’s direct goods, or licensed goods).

They’re not wrong. Both companies sell canned fruit and vegetables and use the same logo. It’s virtually impossible for the average guy in the street to tell the difference between the two.
Having been exposed to the Del Monte brand for as long as I can remember, having read the LRO decision, and having visited both companies’ web sites, I still couldn’t tell you which company’s canned pineapple I’ve been ignoring on supermarket shelves all these years.
But the decision was not unanimous. Dissenting panelist Robert Badgley agreed with most of the panel’s findings but thought they hadn’t given enough weight to Fresh Del Monte’s South African trademark.
The panel, he suggested, hadn’t looked closely enough at the circumstances of the trademark rights being acquired because it hadn’t allowed additional submissions on that point.
Basically, the decision seems to have been made on partial evidence. Badgley wrote:

I am prepared to conclude that it is more likely than not that Respondent owns the DEL MONTE mark in South Africa and its use of that mark has been bona fide. This conclusion is critical to my ultimate view that Objector has failed to carry its burden of proof and therefore the Objection should be overruled.

He also noted that the two companies, with their matching brands, had been coexisting for 24 years under their licensing arrangement.

2 Comments Tagged: del monte, fresh del monte, ICANN, legal rights objection, lro, new gTLDs

Donuts, Uniregistry and Famous Four respond to ICANN’s new gTLD security bombshell

Following the shock news this morning that ICANN wants to delay hundreds of new gTLD applications due to potential security risks, we pinged a few of the biggest applicants for their initial reactions.
Donuts, Uniregistry and Famous Four Media, which combined are responsible for over a fifth of all applications, have all responded so far, so we’re printing their statements here in full.
As a reminder, two reports published by ICANN today a) strongly warn against delegating so-called “dotless” domains and b) present significant evidence that “internal name collisions” are a real and present danger to the security and stability of many private networks.
ICANN, in response to the internal name collision issue, proposed to delay 20% of all new gTLD applications for three to six more months while more research is carried out.
It also wants to ask new gTLD registries to conduct outreach to internet users potentially affected by their delegated gTLD strings.
Of the three, Donuts seems most upset. It sent us the following statement:

One has to wonder about the timing of these reports and the motivations behind them. Donuts believes, and our own research confirms satisfactorily to us, that dotless domains and name collision are not threatening to the stability and security of the domain name system.
Name collisions, such as the NxD (in the technical parlance) collisions studied in this report, happen every day in .com, yet the study did not quantify those and Verisign does not block those names from being registered.
We’re concerned about false impressions being deliberately created and believe the reports are commercially or competitively motivated.
There is little reason to pre-empt dotless domains now when there are ICANN processes in place to evaluate them in due course. We don’t believe that ICANN resources need to be deployed at this point on understanding the potential innovations of possible uses nor any security harms.
We also think that name collision is an overstated issue. Rather than take the overdone step of halting or delaying these TLDs, if the issue really is such a concern, it would be wiser to focus on the second-level names where a conflict could occur.
As the NTIA recently wrote, Verisign’s inconsistencies on technical issues are very troubling. These issues have been thoroughly studied for some time. It’s far past due to conclude this eight-year process an move to delegation

As I haven’t previously heard any reason to doubt Interisle Consulting’s impartiality or question its motivation in writing the name collisions report I asked Donuts for clarification, but the company declined to elaborate.
Interisle has been working with ICANN for some time on various technical studies and is also one of the new gTLD program’s independent evaluators, responsible for registry services evaluations.
Uniregistry CEO Frank Schilling was also unhappy with the report. He sent the following statement:

We are deeply dismayed by this new report, both by its substance and its timing. On the substance, the concerns addressed by the report relate, primarily if not solely, to solvable problems created by third-parties using the DNS in non-standard ways. We expect that any problems will be addressed quickly by the companies and individuals that caused them in the first place.
On ICANN’s timing, it is, come just as the first new gTLDs are prepared to launch, very late and, quite obviously, highly disruptive to the long-standing business plans of the companies that relied on ICANN’s guidebook and stated timelines. Uniregistry believes that the best approach is to move forward with the launch of all new gTLDs on the existing schedule.

Finally, Famous Four Media is slightly more relaxed about the situation, judging by the statement it sent us:

Famous Four Media’s primary concern is the security and stability of the Internet. Since this is in the interest of all parties involved in the new gTLD program from registries to registrants and all in between Famous Four Media welcomes these proposals.
Whilst the latest report, and the consequent ICANN proposals, will inevitably cause delays and additional costs in the launches of new gTLDs, Famous Four Media does not believe it will impact its go-to-market plans significantly. The majority of our TLD strings are considered “low risk” and see this in a very positive light although other applicants might not afford to be as sanguine.

According to the DI PRO New gTLD Application Tracker, which has been updated with the risk levels ICANN says each applied-for gTLD poses, 18 of Famous Four’s 60 original applications are in the riskiest two categories, compared to 23 of Uniregistry’s 54 and 102 of Donuts’ of 307.

2 Comments Tagged: donuts, Famous Four Media, ICANN, interisle, new gTLDs, security, uniregistry, verisign

New gTLDs are the new Y2K: .corp and .home are doomed and everything else is delayed

The proposed gTLDs .home and .corp create risks to the internet comparable to the Millennium Bug, which terrorized a burgeoning internet at the turn of the century, and should be rejected.
Meanwhile, every other gTLD that has been applied for in the current round could be delayed by months in order to mitigate the risks they pose to internet users.
These are the conclusions ICANN has drawn from Interisle Consulting’s independent study into the problems that could be caused when new gTLDs clash with widely-used internal naming systems.
The extensive study, which drew on 8TB of traffic data provided by 11 of the 13 DNS root server operators, is 197 pages long and absolutely fascinating. It was published by ICANN today.
As Interisle CEO Lyman Chapin reported at the ICANN meeting in Durban a few weeks ago, the large majority of TLDs that have been applied for in the current round already receive large amounts of error traffic:

Of the 1,409 distinct applied-for TLD strings, 1,367 appeared at least once in the 2013 DITL [Day In the Life of the Internet] data with the string at the TLD position.

We’ve previously reported on the volume of queries new gTLDs get, such as the fact that .home gets half a billion hits a day and that 3% of all requests were for strings that have been applied for in the current round.
The extra value in Interisle’s report comes when it starts to figure out how many end points are making these requests, and how many second-level domains they’re looking for.
These are vitally important factors for assessing the scale of the risk of each TLD.
Again, .home and .corp appear to be the most dangerous.
Interisle capped the number of second-level domains it counted in the 2013 data at 100,000 per TLD per root server — 1,100,000 domains in total — and .home was the only TLD string to hit this cap.
Cisco Systems’ proposed .cisco TLD came close, failing to hit the cap in only one of the 11 root servers providing data, while .box and .iinet (both also used widely on home routers) hit the cap on at least one root server.
The lowest count of second-level domains of the 35 listed in the report came from .hsbc, the bank brand, but even that number was a not-inconsiderable 2,000.
Why are these requests being made?
Surprisingly, interactions between a security feature in Google’s own Chrome browser and common residential routers appear to be the biggest cause of queries for non-existent TLDs.
That issue, which impacts mainly .home, accounts for about 46% of the requests counted, according to the report.
In second place, with 15% of the queries, are requests for real domain names that appear to have had a non-existent TLD — again, usually .home — appended by a residential router or cable modem.
Apparent typos — where a user enters a URL but forgets to type the TLD — were a relatively small percentage of requests, coming in at under 1% of queries.
The study also found that bad requests come from many thousands of sources. This table compares the number of requests to the number of sources.
[table id=14 /]
The “Count” column is the number, in thousands, of requests for each TLD string. The “Prefix Count ” column refers to the number of sources providing this traffic, counted by the /24 IP address block (each of which is up to 256 potential hosts).
As you can see, there’s not necessarily a correlation between the number of requests a TLD gets and the number of people making the requests — .google gets queried by more sources than the others, but it’s only ranked 24 in terms of overall query volume, for example.
Interisle concluded from all this that .corp and .home are simply too dangerous to delegate, comparing the problem to the year 2000 bug, where a global effort was required to make sure software could support the four-digit dating scheme required by the turn of the century.
Here’s what the report says about .corp:

users could be taken to the wrong web site (and possibly be exposed to phishing attacks) or told that web sites do not exist when they do, depending on how the .corp TLD is resolved. A corporate mail system might attempt to deliver email to the wrong server, and this could expose sensitive or confidential information to someone who was not supposed to receive it. In essence, everything deployed in the private network would need to be checked.
There are no easy solutions to these problems. In an ideal world, the operators of these private networks would get a timely notification of the new TLD’s delegation and then take action to address these issues. That seems very improbable. Even if ICANN generated sufficient publicity about the new TLD’s delegation, there is no guarantee that this will come to the attention of the management or operators of the private networks that could be jeopardized by the delegation.
…
It seems reasonable to estimate that the amount of effort involved might be comparable to a wholesale renumbering of the internal network or the Y2K problem.

It notes that applied-for TLDs such as .site, .office, .group and .inc appear to be used in similar ways to .home and .corp, but do not appear to present as broad a risk.
To be clear, the risk we’re talking about here isn’t just people typing the wrong things into browsers, it’s about the infrastructure on many thousands of private networks starting to make the wrong security assumptions about domain names.
ICANN, in response, has outlined a series of measures sure to infuriate many gTLD applicants, but which are consistent with its goal to protect the security and stability of the internet.
They’re also consistent with some of the recommendations put forward by Verisign over the last few months in its campaign to show that new gTLDs pose huge risks.
First, .corp and .home are dead. These two strings have been categorized “high risk” by ICANN, which said:

Given the risk level presented by these strings, ICANN proposes not to delegate either one until such time that an applicant can demonstrate that its proposed string should be classified as low risk

Given the Y2K-scale effort required to mitigate the risks, and the fact that the eventual pay-off wouldn’t compensate for the work, I feel fairly confident in saying the two strings will never be delegated.
Another 80% of the applied-for strings have been categorized “low risk”. ICANN has published a spreadsheet explaining which string falls into which category. Low risk does not mean they get off scot-free, however.
First, all registries for low-risk strings will not be allowed to activate any domain names in their gTLD for 120 days after contract signing.
Second, for 30 days after a gTLD is delegated the new registries will have to reach out to the owners of each IP address that attempts to query names in that gTLD, to try to mitigate the risk of internal name collisions.
This, as applicants will no doubt quickly argue, is going to place them under a massive cost burden.
But their outlook is considerably brighter than that of the remaining 20% of applications, which are categorized as “uncalculated risk” and face a further three to six months of delay while ICANN conducts further studies into whether they’re each “high” or “low” risk strings.
In other words, the new gTLD program is about to see its biggest shake-up since the GAC delivered its Advice in Beijing, adding potentially millions in costs and delays for applicants.
ICANN’s proposed mitigation efforts are now open for public comment.
One has to wonder why the hell ICANN didn’t do this study two years ago.

28 Comments Tagged: corp. .home, ICANN, interisle, internal names, new gTLDs, security, ssl, verisign

Dotless domains “dangerous”, security study says

An independent security study has given ICANN a couple dozen very good reasons to continue outlaw “dotless” domain names, but stopped short of recommending an outright ban.
The study, conducted by boutique security outfit Carve Systems and published by ICANN this morning, confirms that dotless domains — as it sounds, a single TLD label with no second-level domain and no dot — are potentially “dangerous”.
If dotless domains were to be allowed by ICANN, internet users may unwittingly send their private data across the internet instead of a local network, Carve found.
That’s basically the same “internal name collision” problem outlined in a separate paper, also published today, by Interisle Consulting (more on that later).
But dotless domains would also open up networks to serious vulnerabilities such as cookie leakage and cross-site scripting attacks, according to the report.
“A bug in a dotless website could be used to target any website a user frequents,” it says.
Internet Explorer, one of the many applications tested by Carve, automatically assumes dotless domains are local network resources and gives them a higher degree of trust, it says.
Such domains also pose risks to users of standard local networking software and residential internet routers, the study found. It’s not just Windows boxes either — MacOS and Unix could also be affected.
These are just a few of the 25 distinct security risks Carve identified, 10 of which are considered serious.
ICANN has a default prohibition on dotless gTLDs in the new gTLD Applicant Guidebook, but it’s allowed would-be registries to specially request the ability to go dotless via Extended Evaluation and the Registry Services Evaluation Process (with no guarantee of success, of course).
So far, Google is the only high-profile new gTLD applicant to say it wants a dotless domain. It wants to turn .search into such a service and expects to make a request for it via RSEP.
Other portfolio applicants, such as Donuts and Uniregistry, have also said they’re in favor of dotless gTLDs.
Given the breadth of the potential problems identified by Carve, you might expect a recommendation that dotless domains should be banned outright. But that didn’t happen.
Instead, the company has recommended that only certain strings likely to have a huge impact on many internet users — such as “mail” and “local” — be permanently prohibited as dotless TLDs.
It also recommends lots of ways ICANN could allow dotless domains and mitigate the risk. For example, it suggests massive educational outreach to hardware and software vendors and to end users.

Establish guidelines for software and hardware manufacturers to follow when selecting default dotless names for use on private networks. These organizations should use names from a restricted set of dotless domain names that will never be allowed on the public Internet.

Given that most people have never heard of ICANN, that internet standards generally take a long time to adopt, and allowing for regular hardware upgrade cycles, I couldn’t see ICANN pulling off such a feat for at least five to 10 years.
I can’t see ICANN approving any dotless domains any time soon, but it does appear to have wiggle-room in future. ICANN said:

The ICANN Board New gTLD Program Committee (NGPC) will consider dotless domain names and an appropriate risk mitigation approach at its upcoming meeting in August.

Comment Tagged: carve systems, dotless domains, google, ICANN, new gTLDs