Recent Posts
- Could ICANN’s chair be ousted by NomCom?
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
.sucks explains Sunrise Premium name change
Vox Populi Registry abandonment of the .sucks “Sunrise Premium” brand in favor of a new “Market Premium” service is just a renaming, designed to reduce confusion among trademark owners, according to the company.
As we reported Sunday, all mentions of Sunrise Premium — a list of .sucks domains that will always carry a recommended $2,499 a year fee — have been expunged from the Vox Pop web site.
They were replaced with references to Market Premium, which appeared to carry all the characteristics of Sunrise Premium albeit under a new name.
Now, CEO John Berard has confirmed to DI that the program has not changed.
Rather, the new name is an effort to distance it from the regular sunrise period, which is linked to the Trademark Clearinghouse.
The decision was made following last week’s International Trademark Association conference, Berard said:
It was an insight gained from talking to people at INTA15. The intellectual property people there asked us so many times about the sunrise premium list of names that we realized we had allowed a mis-perception to take hold. This is no and never has been a relationship between that list and the TradeMark ClearingHouse. It was surprising how many people thought we had access to the TMCH (we don’t) and merely cut-and-pasted its names.
That is why we renamed it. Now called Market Premium and more clearly presented as a set of names that over time have been viewed as valuable (because they have been registered before). Names on this list will carry a suggested price of $2,499 (yes, the same as was suggested in Sunrise). Given the list is of names that the market has decided has value, it is likely it will contain trademarks.
The change may also be an attempt to head off a contractual squabble with ICANN.
Last Friday, the ICANN Business Constituency told ICANN management that if the Sunrise Premium list had been populated by names drawn from the TMCH, that would have been a breach of the .sucks Registry Agreement.
.sucks threatens ICANN with defamation claim after “extortion” letters
Vox Populi Registry has threatened to sue ICANN for defamation and other alleged breaches of US law, over allegations of “extortion” made by two of its constituencies.
The registry’s outside law firm wrote to ICANN yesterday, saying that it has “has no interest in pursuing claims at this time” but adding:
if ICANN or any of its constituent bodies (or any directly responsible member thereof) engages in any further wrongful activity that prevents the company from fulfilling its contractual obligations and operating the .SUCKS registry as both ICANN and Vox Populi envisioned, the company will have no choice but to pursue any and all remedies available to it.
The letter follows claims by the Intellectual Property Constituency that .sucks and its $1,999 annual sunrise fees constitute a “predatory” “shakedown”, claims which ICANN has forwarded to US and Canadian trade regulators for their legal opinions.
The IPC letter was followed up by similar claims by the Business Constituency on Friday.
Vox Pop now wants these constituencies, and ICANN itself, to shut up.
“Rather than assuming cooler heads will prevail, it is time to tell ICANN to stop interfering in our ability to operate the registry,” CEO John Berard said in an email to reporters. “We are not taking legal action at this point but making it clear that we reserve the right if ICANN continues in its wrong-headed approach.”
The company denies that .sucks will encourage cybersquatting, noting that like all other gTLDs it is subject to the anti-cybersquatting UDRP and URS remedies.
it would seem that ICANN is not actually concerned about cybersquatting or any other illegal activity. Rather, ICANN appears concerned that registrations on the .SUCKS registry will be used to aggregate uncomplimentary commentary about companies and products — the very purpose for the registry that Vox Populi identified in the application it submitted to ICANN, and that ICANN approved
ICANN has disseminated defamatory statements about Vox Populi and its business practices aimed at depriving Vox Populi of the benefits of its contract with ICANN. These actions further violate the duty of good faith and fair dealing that is implied in every contract… in suggesting illegality without any basis whatsoever, your actions (and those of the ICANN IPC and ICANN BC) have given rise to defamation claims against ICANN. Vox Populi hereby demands that ICANN, including any and all of its subdivisions, cease any and all such activity immediately.
There’s bucketloads of irony here, of course.
The company says it is standing up for its future registrants’ rights to free speech, but wants its own critics gagged today.
Read the letter as a PDF here.
Businesses call on regulators to stop .sucks “extortion”
ICANN’s Business Constituency wants US and Canadian regulators to intervene to prevent Vox Populi Registry, which runs .sucks, “extorting” businesses with its high sunrise fees.
The BC wrote to ICANN, the US Federal Trade Commission and the Canadian Office for Consumer Affairs on Friday, saying .sucks has employed “exploitive [sic] pricing and unfair marketing practices”.
The constituency adds its voice to Intellectual Property Constituency, which complained last month, causing ICANN to refer the matter to US and Canadian regulators.
Now, the BC has told the OCA and FTC:
We do not believe that exploitative and unfair business practices are conducive either to promoting end-user confidence in the Internet or to fair competition in the domain name space. On the contrary, the pricing structure adopted by Vox Populi for .sucks domain names is predicated purely on expecting the businesses and brands that drive global growth to pay extortionate fees for no consumer or market benefit.
…
Vox Populi’s tactics exploit businesses that neither want nor need these domain name registrations but feel unfairly pressured to register purely for defensive purposes.
The BC’s letter chooses to focus on saying sunrise names cost “$2,499 and up” (original emphasis). That’s based on the MSRP Vox Pop publishes on its web site.
In reality, Vox Pop is charging a registry fee of $1,999 per year for .sucks sunrise registrations.
Retail registrars can add hundreds of dollars in mark-up fees, but the leading corporate registrars that are selling the most .sucks sunrise names — MarkMonitor, CSC and Com Laude among them — have said that as a matter of principle they are only charging a nominal $20 to $25 processing fee.
It’s not the highest sunrise fee I’ve come across. The Chinese registry behind .top asked for $3,500 during its sunrise.
But the semantics of the .sucks TLD makes brand owners nervous and makes many of them feel that a defensive registration is a must-have.
The BC now write to regulators to “urge the FTC and OCA to expeditiously determine whether these practices constitute unfair trade practices”.
The letter points to US and Canadian regulations covering consumer protection for examples of where Vox Pop’s practices may fall short of the law.
The free speech opportunities afforded by .sucks do not outweigh the harms, the BC says.
It’s also interesting to note that while the BC appears to be running to regulators for assistance, it notes that it still fully supports the ICANN model.
There may be a degree of cognitive dissonance within the BC.
In a separate letter to ICANN, also signed by BC chair Elisa Cooper and sent yesterday, the BC seems to take issue with the fact that ICANN felt the need to report .sucks to regulators in the first place, writing:
We would like to understand the rationale for doing so. ICANN has ample authority, a clear obligation and the resources available to stop rogue practices through its contractual agreements with registries, its Compliance Department, and its broad duty to protect the public interest and the security and stability of the Internet, particularly for issues with global reach. Like all other gTLDs launched under ICANN’s program, .sucks has a global reach. It is not clear why ICANN feels it should seek clarification from these two North American agencies.
It’s worth noting that Vox Pop CEO Berard is a member of the BC via his PR agency, Credible Context. He was Cooper’s immediate predecessor as BC chair, leaving the post last year.
Correction: Thanks to the many readers who pointed out that Berard was actually the BC’s representative to the GNSO, not its chair. Apologies for the error.
The letter tells Global Domains Division president Akram Atallah that “viewed in its entirety, Vox Populi’s pricing scheme is a violation of the Rights Protection Mechanisms (RPMs)” developed for the new gTLD program, alleging it discourages use of the RPMs and encourages cybersquatting.
It claims that if Vox Pop populated its Sunrise Premium list (now known as Market Premium, it seems) with data from the Trademark Clearinghouse it could be in violation of its Registry Agreement with ICANN.
My sense has been that the names on that list were actually culled from zone files. Vox Pop has said it was compiled from lists of names that have previously been defensively registered. Most of the names in the TMCH have not been defensively registered.
The BC asks for ICANN “to take strong action”, but does not specify what, exactly, it wants.
The letter to the OCA and FTC can be read here. The letter to ICANN is here. Both are PDF files.
Has .sucks abandoned its Sunrise Premium program?
Vox Populi Registry has done away with the “Sunrise Premium” part of its .sucks launch strategy, if only in name.
The pricing page of the company’s web site no longer makes any reference to Sunrise Premium, the controversial, trademark-heavy list of .sucks domains that would cost over $2,000 a year to register and renew.
Instead, there are two new categories of names: Registry Premium and Market Premium.
Registry Premium appears to be what it was previously just calling “Premium” — individually priced high-value domains such as divorce.sucks and life.sucks. That’s in tune with standard registry practice.
The new Market Premium category appears to be the replacement for Sunrise Premium. The web site describes it like this:
In General Availability, dotSucks has created a list of domains called Market Premium names. These are names that the market over time have designated as having a high value.
Previously, Vox Pop CEO John Berard told DI and other reporters that the Sunrise Premium list had been compiled from names registered or blocked in previous sunrise periods in other TLDs.
It was characterized as an additional protection against cybersquatting, but intellectual property interests saw it as a shakedown.
It’s not obvious from the updated Vox Pop web site whether Market Premium is a ground-up rethink of the Sunrise Premium concept, or is merely an empty re-branding.
The name “Sunrise Premium” was confusing, given that such domains are not actually available during the formal sunrise period. Also, the name inextricably suggested that it was a list of trademarks.
Market Premium names are priced exactly the same as Sunrise Premium — that is, $1,999 at the registry level, with a suggested retail price of $2,499.
Market Premium names will also not be eligible for the discounted “Block” service but will “likely” be eligible for the Consumer Subsidy program. That’s no change from the policies governing the Sunrise Premium incarnation.
The registry web site now also states that purchasers of the Block service, which carries a $149 registry fee, will be able to unblock their domains if they wish to actively use them, but doing so will convert the domain into a $1,999 Market Premium name.
Defensive blocking could therefore have the eventual effect of stuffing the Market Premium list with trademarks anyway (assuming any trademark holders with blocks wish to activate their .sucks names, which seems unlikely).
I’ve put in a request for clarification about Market Premium with the registry and will provide updates when I get them.
Other updates on the .sucks price list include a removal of the $9.95 suggested retail price for Consumer Subsidy names.
Consumer Subsidy names are supposedly going to be run by a third party consumer advocacy group from Everything.sucks, but that group has not been identified by Vox Pop yet.
The fact that the registry seemingly had no deal in place but already knew the price suggested to many that Everything.sucks would just be another shell company managed by Vox Pop owner Momentous. Berard reportedly denied this publicly at the INTA 2015 conference last week.
The Vox Pop web site now states “dotSucks is hopeful that this will bring the individual consumer price below 10 dollars.”
.sucks and ICANN not invited to Congressional hearing on .sucks and ICANN
The witness list in next week’s US Congressional hearing into .sucks and ICANN accountability does not feature .sucks or ICANN.
The eight witnesses are largely drawn from outspoken critics of both ICANN and Vox Populi, either companies or trade associations and lobby groups. It’s stacked heavily in favor of intellectual property interests.
The hearing is titled “Stakeholder Perspectives on ICANN: The .sucks Domain and Essential Steps to Guarantee Trust and Accountability in the Internet’s Operation”.
With hindsight, the “Stakeholder Perspectives” bit gives away the fact that the judiciary subcommittee holding the hearing is more concerned with listening to ICANN’s critics than ICANN itself.
Mei-lan Stark, a senior intellectual property lawyer from Fox and 2014 president of the International Trademark Association, tops the list.
A critic of the new gTLD program, in 2011 Stark told Congress that the first round of new gTLDs would cost Fox “conservatively” $12 million in defensive registration fees.
It will be interesting to see if any Congresspeople confront Stark about that claim, which appeared like a gross overstatement even at the time.
One company that has been enthusiastically embracing new gTLDs — as an applicant, registry, defensive and non-defensive registrant — is Amazon, which has VP of global public policy Paul Misener on the panel.
Amazon has beef with ICANN for siding with the Governmental Advisory Committee over the battle for .amazon, which Amazon has been banned from obtaining, so it’s difficult to see the company as an overly friendly witness.
Next up is John Horton, president of LegitScript, the company that certifies legitimate online pharmacies and backs the .pharmacy new gTLD.
LegitScript is in favor of greater regulation of the domain name industry in order to make it easier to shut down potentially dangerous web sites (though opponents say it’s more often more interested in protecting Big Pharma’s profit margins). This month it called for a ban on Whois privacy for e-commerce sites.
Steve Metalitz, counsel for the Coalition for Online Accountability (a lobbyist for the movie and music industries) and six-term president of the ICANN Intellectual Property Constituency, is also on the list.
Jonathan Zuck, president of ACT The App Association (aka the Association for Competitive Technology, backed by Verisign and other tech firms) is on the list.
NetChoice director Steve DelBianco is also showing up again. He’s an ICANN hearing mainstay and I gather with this appearance he’ll be getting the final stamp on his Rayburn Building Starbucks loyalty card. That means a free latte, which is always nice.
Internet Commerce Association counsel Phil Corwin is a surprise invitee. ICA represents big domainers and is not a natural ally of the IP side of the house.
Bill Woodcock, executive director of Packet Clearing House, rounds off the list. PCH might not have instant name recognition but it provides Anycast DNS infrastructure services for scores of ccTLDs and gTLDs.
The committee hearing will take place at 10am local time next Wednesday.
A second hearing, entitled “Stakeholder Perspectives on the IANA Transition” will be held four hours later by a subcommittee of the House Energy & Commerce committee. The witnesses for that one have not yet been announced.
It’s going to be a busy day for ICANN bods on Capitol Hill.
Congress to put .sucks on trial
The US Congress is to hold a hearing to look into the .sucks gTLD and ICANN accountability.
A hearing entitled “Stakeholder Perspectives on ICANN: The .sucks Domain and Essential Steps to Guarantee Trust and Accountability in the Internet’s Operation” has been scheduled by the House Subcommittee on Courts, Intellectual Property, and the Internet
It will take place in Washington DC next Wednesday, May 13.
The list of witnesses does not yet appear to have been published.
I would guess we’d be looking at, at the very least, somebody senior from ICANN, somebody senior from .sucks registry Vox Populi, and an intellectual property lawyer.
It was ICANN’s Intellectual Property Constituency that complained about .sucks’ sunrise policies and fees, causing ICANN to refer the matter to US and Canadian trade regulators.
The title of the House hearing suggests that the .sucks controversy will be inextricably tied to the broader issue of ICANN accountability, which is currently undergoing a significant review as ICANN seeks to split permanently from US government oversight.
That’s not great optics for ICANN; I’m sure the organization would rather not have its performance judged on what is quite an unusual edge case emerging from the new gTLD program.
Whois privacy reforms incoming
Whois privacy services will become regulated by ICANN under proposals published today, but there’s a big disagreement about whether all companies should be allowed to use them.
A working group has released the first draft of its recommendations covering privacy and proxy services, which mask the identity and contact details of domain registrants.
The report says that P/P services should be accredited by ICANN much like registrars are today.
Registrars should be obliged to disclose which such services they operate or are affilated with, presumably at the risk of their Registrar Accreditation Agreement if they do not comply, the report recommends.
A highlight of the paper is a set of proposed rules governing the release of private Whois data when it is requested by intellectual property interests.
Under the proposed rules, privacy services would not be allowed to reject such requests purely because the alleged infringement deals with the content of a web site rather than just the domain.
So the identity of a private registrant of a non-infringing domain would be vulnerable to disclosure if, for example, the domain hosted bootleg content.
Registrars would be able to charge IP owners a nominal “cost recovery” fee in order to process requests and would be able to ignore spammy automated requests that did not appear to have been manually vetted.
There’d be a new arbitration process that would kick in to resolve disputes between IP interests and P/P service providers.
The 98 pages of recommendations (pdf) were drafted by the Generic Names Supporting Organization’s Privacy & Proxy Services Accreditation Issues Working Group (PPSAI) and opened for public comment today.
There are a lot of gaps in the report. Work, it seems, still needs to be done.
For example, it acknowledges that the working group didn’t reach any conclusions about what should happen when law enforcement agencies ask for private data.
The group was dominated by registrars and IP interests. There was only one LEA representative and only one governmental representative, and they participated in a very small number of teleconferences.
There was also a sharp division on the issue of who should be able to use privacy services, with two dissenting opinions attached to the report.
One faction, led by MarkMonitor and including Facebook, Domain Tools and fake pharmacy watchdog LegitScript, said that any company that engages in e-commerce transactions should be ineligible for privacy, saying: “Transparent information helps prevent malicious activity”.
Another group, comprising a handful of non-commercial stakeholders, said that no kind of activity should prevent you from registering a domain privately, pointing to the example of persecuted political groups using web sites to raise funds.
There was a general consensus, however, than merely being a commercial entity should not alone exclude you from using a P/P service.
Currently, registrar signatories to the 2013 RAA are bound by a temporary P/P policy that is set to expire January 2017 or whenever the P/P accreditation process starts.
There are a lot of recommendations in the report, and I’ve only touched on a handful here. The public comment period closes July 7.
Most ICANN new gTLD breaches were over a year ago
Almost three quarters of the security breaches logged against ICANN’s new gTLD portal occurred over a three-month period in early 2014, DI can reveal.
Almost every incident of a new gTLD applicant coming across data they weren’t supposed to see — 322 of the 330 total — happened before the end of October last year, ICANN told DI.
Most — 244 of the 330 — happened before April 30 last year.
The first breach, discovered by an independent audit of the portal, was January 22 2014.
ICANN says it was first notified of there being a problem on February 27, 2015.
The improper data disclosures were announced by ICANN last week.
As we reported, a simple configuration error by ICANN in third-party software allowed users of the Global Domains Division portal — all new gTLD applicants — to view confidential data belonging to other applicants.
Documents revealed could have included sensitive financial projections and registry technical details.
My first assumption was that the majority of the incidents — which have been deliberate or accidental — were relatively recent, but that turns out not to be the case.
In fact, if anyone did download data they weren’t supposed to see, most of them did it over a year ago.
ICANN has been notifying applicants and registries about whether their own data was compromised and expects to have told each affected applicant which other applicants could have seen their data before May 27.
Ninety-six applicants and 21 registries were affected.
Dumb ICANN bug revealed secret financial data to new gTLD applicants
Secret financial projections were among 330 pieces of confidential data revealed by an ICANN security bug.
Over the last two years, a total of 19 new gTLD applicants used the bug to access data belonging to 96 applicants and 21 registry operators.
That’s according to ICANN, which released the results of a third-party audit this afternoon.
Ashwin Rangan, ICANN’s new chief information and innovation officer, confirmed to DI this afternoon that the data revealed to unauthorized users included private financial and technical documents that gTLD applicants attached to their applications.
It would have included, for example, documents that dot-brand applicants reluctantly submitted to demonstrate their financial health.
But Rangan said it was not clear whether the glitch had been exploited deliberately or accidentally.
While saying the situation was “very deeply regrettable”, he added that applicant data deemed confidential when it was submitted back in 2012 may not be considered as such today.
The vulnerability was in ICANN’s Global Domains Division Portal, which was taken offline for three days at the end of February and early March after the bug was reported by a user.
Two outside consulting firms were brought in to scan access logs going back to the launch of the new gTLD portal back in April 2013.
What they found was that any user of the portal could access any attachment to any application, whether it belonged to them or a third-party applicant, simply by checking a radio button in the advanced search feature.
It was a misconfiguration by ICANN of the Salesforce.com software used by GDD, rather than a coding error, Rangan said.
“The public/private data sharing setting can be On or Off and here it was set to On,” he said.
On 330 occasions, starting “in earliest part of when the portal first became available” two years ago, these 19 users would have been exposed to data they were not supposed to be able to see.
The audit has been unable to determine whether the users actually downloaded confidential data on those occasions.
What’s confirmed is that only new gTLD applicants were able to use the glitch. No third-party hackers were involved.
The 19 users who, whether they meant to or not, exploited this vulnerability are now going to be sent letters asking them to explain themselves. They’ll also be asked to delete anything they downloaded and to not share it with third parties.
Before May 27, ICANN will also contact those applicants whose secret data was exposed, telling them which rival applicants could have seen it.
Rangan said that there have been almost 600,000 GDD sessions in the last two years, and that only 36 of them revealed data to unauthorized users.
“It’s a small fraction,” he said. “The question is whether they just stumbled across something they were not even aware of… Looking at the log files it is not clear what is the case.”
ICANN seems to be giving the 19 users the benefit of the doubt so far, but still wants them to explain their actions.
As CIO, Rangan was not able to comment on whether the breach exposes ICANN or applicants to any kind of legal liability.
It’s not the first time sensitive applicant data has been exposed. Back in 2012, DI discovered that the home addresses of the directors of applicants had been published, despite promises that they would remain private.
At the time of the original GDD portal misconfiguration, ICANN had noted security expert Jeff “The Dark Tangent” Moss as its chief security officer.
Earlier this week, ICANN’s board of directors authorized expenses of over $500,000 to carry out security audits of ICANN’s code.
New gTLD zones top five million names
There are now more than five million new gTLD domain names live in the DNS.
That’s according to zone files collated by ICANN, which I’m told show 5,002,252 names across the 597 new gTLD registries providing data.
That works out to a mean of 8,378 domains per TLD, a median of 1,254.
The largest zone file is .xyz, with 877,450 names. There’s at least 100 new gTLDs with only one domain in their zones.
Due to the way ICANN’s Centralized Zone Data Service works (or doesn’t work) with access rights expiring on a pretty much daily basis, it’s virtually impossible for a third party such as DI to count up zone file numbers across every new gTLD with 100% daily accuracy.
Today, DI PRO reports a count of 4,999,024 names.
The total number of zone file domains in this post was provided by ICANN, which does not have the same CZDS restrictions as the rest of us.
Recent Comments