Hackers break .mobi after Whois domain expires
It’s probably a bad idea to let a critical infrastructure domain expire, even if you don’t use it any more, as Identity Digital seems to be discovering this week.
White-hat hackers at WatchTowr today published research showing how they managed to undermine SSL security in the entire .mobi TLD, by registering an expired domain previously used as the registry’s Whois server.
Identity Digital, which now runs .mobi after a series of acquisitions, originally used whois.dotmobiregistry.net for its Whois server, but this later changed to whois.nic.mobi and the original domain expired last December.
WatchTowr spotted this, registered the name, and set up a Whois server there, which went on to receive 2.5 million queries from 135,000 systems in less than a week.
Sources of the queries included security tools such as VirusTotal and URLSCAN, which apparently hadn’t updated the hard-coded Whois URL list in their software, the researchers said.
GoDaddy and Domain.com were among the registrars whose Whois tools were sending queries to the outdated URL, WatchTowr found.
Incredibly, so was Name.com, which is owned by Identity Digital, the actual .mobi registry.
More worryingly, it seems some Certificate Authorities, responsible for issuing the digital certificates that make SSL work, were also using the old Whois address to verify domain ownership.
WatchTowr says it was possible to obtain a cert for microsoft.mobi by providing its own email address in a phony Whois record served up by its bogus Whois server.
“Effectively, we had inadvertently undermined the CA process for the entire .mobi TLD,” the researchers wrote.
They said they would have also been able to send malicious code payloads to vulnerable Whois clients.
While WatchTowr’s research doesn’t mention ICANN, it might be worth noting that the change from whois.dotmobiregistry.net to whois.nic.mobi is very probably a result of .mobi’s transition to a standardized gTLD registry contract, which requires all registries to use the whois.nic.[TLD] format for their Whois servers.
As a pre-2012 gTLD, .mobi did not have this requirement until it signed a new Registry Agreement in 2017. There are still some legacy gTLDs, such as .post, that have not migrated to the new standard URL format.
The WatchTowr research, with a plentiful side order of cockiness, can be read in full here.
Microsoft switches two gTLDs from GoDaddy to Nominet
Microsoft has moved two of its branded gTLDs from GoDaddy’s registry back-end to Nominet’s.
Records show that .skype and .office both recently made the switch.
Microsoft had already moved six TLDs — .azure, .bing, .hotmail, .microsoft, .windows and .xbox — from Verisign to Nominet about a year ago, and .skype and .office mean its whole collection is now on Nominet’s service.
While .office isn’t technically a dot-brand because it does not have a Spec13 exemption in its ICANN contract, it is in use — you can log in to your email and other services, at least for now, via www.office.
.skype, meanwhile, has a handful of domains that work as redirects to skype.com.
Four more dot-brands switch back-ends
Four dot-brand gTLDs have recently changed their back-end providers, according to the latest records, three moving away from Verisign.
US insurance company American Family Insurance has moved its .americanfamily and .amfam from Verisign to GoDaddy, as has AARP, a US interest group representing retired people, with .aarp.
Aquarelle.com Group, a French flower delivery company, has meanwhile switched from French ccTLD operator Afnic to London-based CentralNic (which is still Team Internet’s registry brand).
The AmFam moves are notable because while Verisign has for some time been getting out of the dot-brand back-end business, most of its clients have been migrating to Identity Digital.
I count seven gTLDs making the Verisign-GoDaddy switch, compared to 60 going Verisign-Identity Digital over the last couple years. Verisign is now down to a few dozen dot-brands.
The Aquarelle.com move is notable because it’s rare for a dot-brand to use a back-end in a different time zone that predominantly uses a different language, but Team Internet does have a footprint in France and other Francophone countries so it’s perhaps not wholly weird.
Three of the dot-brands are not heavily used — .aarp has three resolving domains that redirect to aarp.org, while .amfam has about 10 names in its zone that do not publicly resolve and .americanfamily has none.
You might infer from the name “Aquarelle.com” that the company is not a big believer in the dot-brand concept, but you’d be surprisingly wrong — .aquarelle has more than 50 domains that resolve to web sites without redirecting to traditional TLDs.
Pride fails to reverse gay domains decline
There are any number of ways gay people can express themselves during Pride, but buying gay-themed domain names doesn’t appear to be one of them.
Zone files show that the .gay gTLD lost over 700 domains in June, which is recognized in most Anglophone liberal democracies as Pride Month, to end the period with about 21,400 names.
Meanwhile, .lgbt lost about 80 domains over the same period, ending the month with about 3,700 domains in its zone.
The declines were not unique to June. Both gTLDs have been on the slide for a while, with .gay peaking at 29,761 domains last November and .lgbt peaking at about 3,930 in May 2023.
.gay is managed by GoDaddy, .lgbt by Identity Digital.
Bob Parsons publishes autobiography
GoDaddy founder and former CEO Bob Parsons has published his rags-to-riches autobiography, Fire in the Hole!
Subtitled The Untold Story of My Traumatic Life and Explosive Success, the book is co-written with jobbing celebrity biographer Laura Morton, who’s previously worked with GoDaddy-sponsored racing driver Danica Patrick.
It promises to detail “the exploits of his youth, his hellish days at the mercy of Catholic school nuns, his harrowing tour of combat duty in Vietnam as a US Marine, his pioneering contributions to the software and internet industries, and his latest ventures in power sports, golf, real estate, and marketing.”
“This is a story of how I started with absolutely nothing and made over $3 billion,” Parsons said in a press release.
Published yesterday by Forefront Books, it’s already ranked #1 in Golf Biographies on Amazon.
I’m going to wait for the paperback, so I can’t speak to its contents, but cover quotes reveal that Jada Pinkett-Smith, Rob Lowe and Nick Jonas all enjoyed it.
GoDaddy getting a free pass from porn jail?
ICANN has shirked its compliance duties and is handing GoDaddy a “Get Out of Jail Free” card with proposed changes to their .xxx registry agreement, according to critics.
A recently closed public comment period saw a mixed response from the community on whether GoDaddy should be allowed to throw out inconvenient and costly terms of its 10-year-old registry contract and operate .xxx more of less like any other open gTLD.
While the deal’s chief critic, consultant and former ICANN director Michael Palage, has made a detailed case explaining why he thinks the amendments should not go ahead, other commenters agree with GoDaddy that some of its stricter registration policies are no longer needed.
Tucows said that the current .xxx rules, which require registrants to verify their identities, are “cumbersome or non-transparent”, not only adding unnecessary friction to the registration path but also amounting to the “surveillance of sex workers”.
Palage managed to persuade the At-Large Advisory Committee to submit its own comments, in which ALAC claims that GoDaddy has already “walked away” from three important contractual commitments on registrant verification and abuse reporting “unilaterally and without consequence from ICANN Contractual Compliance”.
According to Palage, when GoDaddy acquired ICM Registry from MMX a few years ago it unilaterally decided to stop verifying the identities of its registrants and did away with the unique community membership IDs that enabled it to deactivate a registrant’s entire portfolio if it was found to be in breach of the rules by, for example, publishing child sexual abuse material.
ICM also stopped donating $10 for every registration to its oversight body, IFFOR, which in turn spent the money it did receive on director salaries rather than making cash grants to child protection causes, Palage says. I’ve previously gone into some depth on this.
“I am concerned that instead of ICANN compliance holding ICM Registry accountable to these representations, they’re essentially giving them a get out of jail card free and potentially removing the ability for third parties to hold ICM Registry accountable to those representations,” Palage said during a March presentation to the ALAC.
His draft comments for the ALAC were subsequently submitted under his own name; ALAC submitted a shorter, somewhat watered down version drafted by chair Jonathan Zuck.
But ALAC and Palage are in agreement that GoDaddy should have gone through the usual Registry Services Evaluation Process if it wanted to change the terms of its contract, and that the proposed amendments set a terrible precedent. ALAC wrote:
ALAC believes that commitments made in order to operate a TLD by a Registry Operator should be enforceable, subsequently implemented by the Registry Operator, and enforced by ICANN Contractual Compliance… The ALAC is concerned that the removal of commitments, through a contract renewal, could set a precarious precedent for non-compliance without repercussion for existing Registry Operators
The Business Constituency echoed ALAC’s concerns in its own comments, as did registry operator CORE Association.
Comments in favor of the .xxx amendments came from two veteran, dissenting voices from the At-Large community, Evan Leibovitch and Carlton Samuels. They said removing the extra requirements from the .xxx contract would reduce confusion and were worthless anyway:
Given the benefit of hindsight, the “Sponsored gTLD” program and designation have not on the whole provided any significant benefit to the Internet-using public. As such, we welcome the removal of this designation — and any associated extra contract requirements — from all applicable Registry Agreements going forward.
Tucows’ support for the amendments are based largely on what a pain in the neck it can be — for registrant and registrar — to register a .xxx domain. Its comments explain:
Currently, to register a .xxx domain, one must become a member of the Sponsored Community, which involves a separate application process to verify eligibility. This extra step is a barrier for those looking to quickly secure a domain. Additionally, the domain cannot resolve—meaning it cannot be used to host a website—without a valid Membership ID, which is only issued after this verification process… This activation involves additional interactions between the registry, the registrant, and the registrar. Additional steps in the registration process can be a significant deterrent as they introduce complexity and time delays.
I’m not really buying the “surveillance of sex workers” claim. Porn producers in many jurisdictions, including the US, already routinely verify the identities of their performers, and keep copies of their identity documents on file, as a legal requirement to ensure their employees are not underage.
ICANN is due to publish its summary of the public comment period by May 20.
How ICANN handles the renewal of and amendments to the .xxx contract will be interesting to watch. Will the Governmental Advisory Committee get a chance to weigh in before the deal is signed? Will the board pass a resolution, or will we see a repeat of the .org renewal debacle?
GoDaddy price increases lead to revenue growth
GoDaddy last night reported domains revenue ahead of forecasts after it raised its prices and sold more higher-priced domains on the aftermarket.
The company’s Core Platform segment, which includes domains and hosting, reported first-quarter revenue up 4% compared to a year ago at $725 million, with domains revenue driving growth, up 7% percent to $532 million.
Domains under management was 84.6 million at the end of March 31.
“Our growth was driven by strong demand for domains in the primary and secondary market, increased pricing in the primary market and a higher average transaction value in the secondary market,” CFO Mark McCaffrey said in prepared remarks.
Aftermarket revenue was up 12% to an unspecified amount.
Including the company’s other revenue streams, GoDaddy reported net income of $401.5 million on revenue up 7% at $1.1 billion.
Verisign, the .com registry, last week reported stagnating .com growth that it blamed in part on US registrars raising their retail prices, leading to lower first-year sales and renewals.
.ai registry advises buyers not to use GoDaddy
The manager of the increasingly popular .ai ccTLD has seemingly escalated his beef with GoDaddy, now advising registrants to not transfer their .ai domains to the market-leading registrar due to technical and operational issues.
The list of approved registrars on the .ai registry web site has contained a warning about problems transferring domains into GoDaddy for many months, but now it explicitly advises against such transfers. The site reads:
We have had several problems with transfers into GoDaddy. First, you have to use auth codes of 32 characters or less. Second they can take weeks and many email and phone calls to actually do the transfer. Anyplace else the transfer is nearly instant once the receiving party does the transfer with the auth code and the domain is unlocked. With GoDaddy the auth code is just the start of a long process. For years GoDaddy could not transer .ai domains at all. We do not advise transfering to go GoDaddy and if you do don’t ask us for help, the problem is all GoDaddy.
GoDaddy has also been removed from .ai’s list of supported registrars, but registry manager Vince Cate tells me he did this at the request of GoDaddy, which he said is a reseller of Team Internet’s 1API. He declined to comment further.
I asked GoDaddy for comment a few weeks ago but did not receive one.
An earlier version of Cate’s warning, from about a year ago as .ai domains started to fly off the shelf, read:
The company Godaddy will say “domains with this extension are not transferable” when someone tries to transfer a “.ai” domain to them when a more correct error message would be “Godaddy does not know how to transfer .ai domains even though it is done using the industry standard EPP transfer command”.
It was later updated to read:
The company Godaddy will say “domains with this extension are not transferable” when someone tries to transfer a “.ai” domain to them when a more correct error message would be “Godaddy does not know how to transfer .ai domains even though it is done using the industry standard EPP transfer command”. They will also say, “Technically .ai domains are not transferable between most registrars, but we have a dedicated team that transfers them manually.” This is so wrong. All other registrars have no trouble doing them automatically. The only technical failure is at Godaddy. Because of they way Godaddy is doing this, I get many people asking me, “Vince, why don’t you let people transfer .ai domains?”, as if I was doing something wrong and not Godaddy. I do let people transfer .ai domains. All of the above registrars can do it automatically without any trouble. Really.
While the .ai domain is managed by the Government of Anguilla, Cate seems to have substantial autonomy over the registry. Much of its bare-bones web site is written in the first person.
GoDaddy’s next .xxx contract may not be a done deal
ICANN has published what could be the next version of GoDaddy’s .xxx registry contract, and is framing it as very much open to challenge.
The proposed Registry Agreement would scrap the “sponsored” designation from .xxx, substantially reduce GoDaddy’s ICANN fees, and implement the strictest child-protection measures of any gTLD, as well as make ICANN Compliance’s job a lot easier by standardizing terms on the new gTLD program’s Base RA.
But, as eager as ICANN usually is to shift legacy, pre-2012 gTLDs to the Base RA, this time it’s published the contract for public comment as if it’s something GoDaddy is unilaterally proposing.
It’s “ICM’s proposal”, according to ICANN’s public comment announcement, referring to GoDaddy subsidiary ICM Registry, and “ICM has requested to use the Base Registry Agreement form, as well as to remove the sponsorship designation of the .XXX TLD”.
This is not the language ICANN usually uses when it publishes RA renewals for public comment. Normally, the proposed contracts are presented as the result of bilateral negotiations. In this case, ICANN and ICM have been in renewal discussions for at least three years, but the contract is being presented as something GoDaddy alone has asked for.
The new RA would remove almost all references to sponsorship and to IFFOR, the pretty much toothless “sponsor” organization ICM created to get its .xxx application over the line under the rules of the Sponsored TLD application round that kicked off back in 2003.
Instead, it loads a bunch of Public Interest Commitments, aimed at replicating some of the safeguards IFFOR oversight was supposed to provide, into the Base RA.
GoDaddy would have to ban and proactively seek out and report child sexual abuse material. It would also prohibit practices that suggest the presence of CSAM, such as the inclusion of certain unspecified keywords in .xxx domains or in the corresponding web site’s content or meta-content.
(ICANN notes that these PICs may become unenforceable, depending on the outcome of current discussions about its ability to enforce content-related terms of its contracts).
GoDaddy and IFFOR have both submitted letters arguing that sponsorship is no longer required. The existence of sister gTLDs .adult, .sex, and .porn as unsponsored gTLDs, also in the GoDaddy Registry stable, proves the extra oversight is not needed, they say. Registrants polled do not object to the changes, they say.
GoDaddy’s cost structure would also change under the new deal. Not only would it save $100,000 a year by cutting off IFFOR, but it would also inherit the Base RA’s 50,000-domain threshold for paying ICANN transaction fees.
This likely means it won’t pay the $0.25 transaction fee for a while — .xxx was at about 47,500 domains under management and shrinking at the last count. It hasn’t reported DUM over 50,000 since January 2023.
While the renewal terms may seem pragmatic and not especially unreasonable, they’ve already received at least one public objection.
Consultant Michael Palage, who was on the ICANN board for the first three years of .xxx’s agonizing eight-year path to approval, took to the mic at the ICANN 79 Public Forum earlier this month to urge the board to reject GoDaddy’s request.
Palage said there have been “material violations of the Registry Agreement” that he planned to inform ICANN Compliance about. He added that approving the new deal would set a bad precedent for all the other “community” registries ICANN has contracts with.
The situation has some things in common with the controversy over the proposed acquisition of Public Internet Registry and .org a few years ago, in that the proposal entails ignoring promises made by a registry two decades ago.
Whether .xxx will attract the same level of outrage is debatable — this deal doesn’t involve nearly as many domains and does not talk to the price registrants pay — but it could attract noise from those who believe ICANN should not throw out its principles for the sake of a quieter life.
One place we might look for comment is the Governmental Advisory Committee, which was the biggest reason .xxx took so long to get approved in the first place.
But the timing of the comment period opening is interesting, coming a week after ICANN 79 closed. It will end April 29, about six weeks before the full GAC next meets en masse, at ICANN 80.
It’s not impossible that the new contract could be approved and signed before the governments get a chance to publicly haul ICANN’s board over the coals.
GlobalBlock blocking 2.5 million domains
GoDaddy-led brand protection project GlobalBlock says it is already blocking over 2.5 million domains, just a couple of weeks after its formal launch.
The GlobalBlock web site reports that 2,569,815 domains are currently being blocked across 559 extensions (a mix of ccTLDs, gTLDs, third-level domains and blockchain names), for an average of just under 4,600 per extension.
It’s difficult to extrapolate much useful information about rapid market demand for the service from this one number, for a variety of reasons.
First, the more-expensive GlobalBlock+ service can block well north of 10,000 domains, mostly homographic variants of a trademark, for a single fee, which could mean as few as just a couple hundred customers have signed up so far at the most pessimistic interpretation.
Second, GlobalBlock offered pricing incentives to existing customers of GoDaddy’s AdultBlock and Identity Digital’s Domain Protected Marks List, both of which are over a decade old, in the months-long run-up to launch.
The vanilla, single-brand GlobalBlock service retails for about $6,000 per year, with GlobalBlock+ going for closer to $9,000.
Recent Comments