Recent Posts
- Sinha angry with Chapman’s firing as ICANN vice chair
- Glitch redux: ICANN screws up new gTLD security again
- CentralNic claims second-largest TLD migration ever
- DNS issue at Amazon takes out major apps and sites
- .io sales almost double over three years
- Amazon delays book and fashion gTLDs
- Lindqvist shuffles the exec deck
- GoDaddy launches “ultra-premium” domain marketplace
- .mobi to get a new rival in .mobile
- Bye-bye .boomer! Blockchain players abandon new gTLD plans
- Decades-old US registrar gets a spanking
- love.you sold in apparent five-figure deal
- Bogus harassment complaints could get you an ICANN ban
- ICANN slaps open-mic ban on conflicted lawyers
- Final GTFO warning for 19 failed new gTLD bids
- Nominet opens $500,000 fund for open source projects
- Com Laude buys larger rival Markmonitor
- Epik took down Charlie Kirk doxing site
- Number of subsidized gTLD bidders far lower than thought
- Another registrar goes AWOL
- gTLD loses its second-largest registrar after breach
- Com Laude buys Fairwinds
- Unstoppable wants to be a registry back-end
- Sixteen new gTLD bids could face the firing squad
- Registry to release one-letter domains tomorrow
- New ICANN funding rules will cost smaller ccTLDs more
- .ai rival lines up gTLD bid
- Team Internet lays off 200
- Sixteen more orgs vie for cheap gTLDs, but…
- So who’s registering sunrise domains these days?
- Cloud gTLD gets launch dates
- Governments say new gTLD program “credibility” at stake
- NIXI planning doomed new gTLD bids
- AI experts replace Chapman on ICANN board
- RDRS may not be dead
- Single-letter .com lawsuit thrown out of court
- Golding challenges McCarthy for Nominet board seat
- Three applicants qualify for cheapo gTLDs
- Blockchain crisis looming for new gTLD next round
- Two more dot-brands leave Verisign for GoDaddy
- ICANN looking at new bulk reg rules
- Reseller loss hits Tucows’ DUM but not revenue
- GoDaddy counts cost of losing .co deal
- Wine producers worried about new gTLDs
- Goodyear tires of its dot-brand
- Team Internet loses Radix to Tucows
- ICANN’s “review of reviews” kicks off
- Huge registrars flee from RDRS
- Namecheap loses attempt to bring back .org price caps
- Registrar shamed for alleged crypto abuse neglect
- Poblete’s ICANN board seat safe
- .com off to strong start in Q3
- .my is growing like crazy
- ICANN settles $77 million sexual harassment suit
- Chinese domain spikiness ends in first half
- Registrars agree to higher ICANN fees
- ICANN to review reviews after review review request fails
- Got junk? June’s biggest gTLD growers do
- ICANN ditches Oman due to Middle-East conflicts
- ICANN’s mighty overlord flexes on transparency
- ICANN faces first pushback over DEI U-turn
- Loads of firms flunk out of next-round gTLD back-end program
- presidenttrump.xxx among thousands of dead .xxx domains suddenly springing to life
- One of the dumbest gTLDs just switched back-ends
- GoDaddy loses .co to Team Internet
- Governments erect bulk-reg barrier to new gTLD next round
- Little interest in cheapo gTLD program
- US government opposes most new gTLDs
- GoDaddy loses last Amazon business to Identity Digital
- Third Amazon gTLD launch dates revealed
- .TOP promises to play nice on DNS abuse
- Court denies ICANN’s #MeToo “cover up” attempt
- Launch dates for two more Amazon gTLDs revealed
- An end to “Club Med for geeks” ICANN?
- Some people paid premiums for .hot domain hacks
- .io questions in sharp focus as UK signs Chagos treaty
- Big .gdn registrar at risk
- ICANN “reaffirms its commitment to diversity and inclusion”
- ICANN kills off diversity and inclusion
- Kaufmann picked for ICANN board
- Conflicted? STFU under new ICANN rules
- .hot is for hookers? Amazon’s first premium regs revealed
- Gname adds another 200 registrars
- New Pope’s .com domain was registered the day Francis died
- Two deadbeat registrars get their ICANN marching orders
- DotMusic has sold a lot of names, but not many are turned on
- .med is a deeply weird gTLD, but it wants to be more normal
- ICANN cuts off money to UASG
- Web.com getting dumped
- .es and .pt riding out massive power outage
- .com is back as Verisign discounts bear fruit
- Dot-brand actually being used to get deleted
- Verisign gave Trump $100,000
- Private Whois requests hit new low after Tucows quits RDRS
- Zoom says GoDaddy took it down for hours
- The Soviet Union might be safe after all
- Google says its ccTLDs “are no longer necessary”
- Facebook thinks ICANN is a bit rubbish
- ICANN spending $365,000 a year on coffee and booze
- Regulator going after suicide site that even Epik banned
- .ai sees $600,000 auction sales in a month
- Pru trims its dot-brand portfolio
- UK’s Nigel Hickson has died
- .blog registry ordered to change name to Knock Knock RDAP There
- WordPress buys Canadian, swaps CentralNic for CIRA
- Latest ICANN salary porn ruins my terrible pun
- .co deal worth $77 million up for grabs
- I get a wrongful kicking as .su registry denies turn-off plan
- Sales and profits dip at Team Internet
- Four deadbeat registrars get terminated
- “No timeline” to retire Soviet Union from the DNS
- ICANN to kill off 60-day domain transfer lock
- Lancaster bags up its dot-brand
- Google readying its next batch of gTLD launches?
- NomCom confirms Americans rejected from ICANN board
- Nova announces $45 million of new gTLD applications
- Registry makes .ai an option for Koreans
- it.com now bigger than Guatemala
- ICANN turns to AI and crowdsourcing for new gTLD program
- Amazon lawyer DiBiase elected to ICANN board
- Is .io safe now? Identity Digital now running Mauritian ccTLD
- Tucows quits ICANN’s Whois disclosure pilot
- Toshiba goes all-in on its dot-brand
- Google scuppers Team Internet acquisition after profit warning
- .ai channel doubles under new management
High-security .bank spec published
BITS, the technology arm of the Financial Services Roundtable, has published a set of specifications for new “high-security” generic top-level domains such as .bank and .pay.
The wide-ranging spec covers 31 items such as registration and acceptable use policies, abusive conduct, law enforcement compliance, registrar relations and data security.
It would also ban Whois proxy/privacy services from financial gTLDs and oblige those registries to verify that all Whois records were fully accurate at least once every six months.
The measures could be voluntarily adopted by any new gTLD applicant, but BITS wants them made mandatory for gTLDs related to financial services, which it calls “fTLDs”.
A letter sent by BITS and the American Bankers Association to ICANN management in late December (pdf) is even a bit threatening on this point:
We strongly urge that ICANN accept the [Security Standards Working Group’s] proposed standards and require their use in the evaluation process. We request notification by 31 January 2012 that ICANN commits to use these fTLD standards in the evaluation of the appropriate gTLD applications. BITS, the American Bankers Association (ABA), and the organizations involved in this effort are firmly committed to ensuring fTLDs are operated in a responsible and secure manner and will take all necessary steps to ensure that occurs.
BITS, it should be pointed out, is preparing its own .bank bid (possibly also .invest and .insure) so the new specs give a pretty good indication of what its own gTLD applications will look like.
ICANN’s Applicant Guidebook does not currently mandate any security standard, but it does say that security practices should be commensurate with the level of trust expected from the gTLD string.
Efforts within ICANN to create a formal High Security Zone Top Level Domain (HSTLD) standard basically fizzled out in late 2010 after ICANN’s board said it would not endorse its results.
That said, any applicant that chooses to adopt the new spec and can demonstrate it has the wherewithal to live up to its very strict requirements stands a pretty good chance of scoring maximum points in the security section of the gTLD application.
Declining to implement these new standards, or something very similar, is likely to be a deal-breaker for any company currently thinking about applying for a financial services gTLD.
Even if ICANN does not formally endorse the BITS-led effort, it is virtually guaranteed that the Governmental Advisory Committee will be going through every financial gTLD with a fine-toothed comb when the applications are published May 1.
The US government, via NTIA chief Larry Strickling, said this week that the GAC plans to reopen the new gTLD trademark protection debate after the applications are published.
It’s very likely that any dodgy-looking gTLDs purporting to represent regulated industries will find themselves under the microscope at that time.
The new spec was published by BITS December 20. It is endorsed by 17 companies, mostly banks. Read it in PDF format here.
Typosquatting is huge but not dangerous, study finds
A study of typosquatted domain names has found that the practice is reaching pandemic levels for the largest brands, but that there’s surprisingly little malware distribution going on.
The security company Sophos surveyed 2,249 domains that were one letter different to the .com sites of Facebook, Google, Twitter, Apple and Microsoft, and found that two thirds resolved.
Not all of those 1,502 sites were malicious typosquats; some were legitimate sites that just happened to have similarly spelled names (such as goole.com and witter.com) Sophos noted.
Apple was the most-squatted company, according to this method: resolving Microsoft typos were at 61%, Twitter at 74%, Facebook at 81%, Google at 83% and Apple at 86%.
Sophos concluded that “there is a significant typosquatting ecosystem around high-profile, often-typed domain names.”
But it did not find as much malware as it was expecting, with only one domain leading to a malware site, 0.07% of the total.
However, 2.7% of the URLs “fell into the loose category of cybercrime”, which “means they are, or have been, associated with hacking, phishing, online fraud or spamming”.
The report, which also fingers parking services from Demand Media, Sedo, Oversee and Bodis as the recipients of 37% of the typo traffic, contains much more data and is well worth a read.
Annoyingly, it appears that Sophos only surveyed .com domains, so the data doesn’t really tell us much about the impact of TLDs (such as .co) on the typosquatting problem.
Libyan registry hacked by anti-Gaddafi crackers
The official registry web site for the Libyan top-level domain has been defaced by anti-Gadaffi crackers.
Nic.ly currently looks like this (click to enlarge):
The attack appears to be limited to the web server – as bit.ly domains are still resolving I assume the culprits have not managed to take control of the registry’s more important systems.
Libya famously cut itself off from the internet in March, shortly after the ongoing rebel uprising – which today arrived on the streets of Tripoli – kicked off.
The .ly domain also went completely dark in 2004 after a communication breakdown between the registry manager and IANA.
(via Sophos)
Bit-squatting – the latest risk to domain name owners
Forget phishing, forget cybersquatting, forget typosquatting, high-value domain name owners may have a whole new threat to worry about – “bit-squatting”.
This appears to be the conclusion of fascinating new research to be presented by Artem Dinaburg at the Black Hat and DEF CON hacker conferences in Las Vegas next week.
Defective internet hardware, it turns out, may be enabling a whole new category of typosquatting that could prove worrying for companies already prone to domain name abuse.
According to a summary of Dinaburg’s research, RAM chips can sometimes malfunction due to heat or radiation, resulting in “flipped bits”, where a 1 turns into a 0 or vice-versa.
Because the DNS uses ASCII encoding, a query containing a single flipped bit could actually send the user to a completely different domain name to the one they intended to visit.
To test the theory, Dinaburg appears to have registered the typo domain name mic2osoft.com. While it’s not visually confusing or a likely typo, in binary it is only one bit different to microsoft.com.
The ASCII binary code for the digit 2 is 00110010, which is only one bit different to the lower-case letter r, 01110010.
The binary for the string “microsoft” is:
011011010110100101100011011100100110111101110011011011110110011001110100
and the binary encoding for “mic2osoft” is (with the single changed bit highlighted):
011011010110100101100011001100100110111101110011011011110110011001110100
Therefore, if that one bit were to be accidentally flipped by a dodgy chip, the user could find themselves sending data to the bit-squatter’s domain rather than Microsoft’s official home.
I would assume that this is statistically only a concern for very high-traffic domains, and only if the bit-flipping malfunction is quite widespread.
But Dinaburg, who works for the defense contractor Raytheon, seems to think that it’s serious enough to pay attention to. He wrote:
To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates.
…
I hope to convince the audience that bit-squatting and other attacks enabled by bit-flip errors are practical, serious, and should be addressed by software and hardware vendors.
His conference presentations will also discuss possible hardware and software solutions.
For large companies particularly at risk of typosquatting, the research may also present a good reason to conduct a review of their trademark enforcement strategies.
I’m not going to be in Vegas this year, but I’m looking forward to reading more about Dinaburg’s findings.
The annual Black Hat and DEF CON conferences are frequently the venues where some of the most beautifully creative DNS hacks are first revealed, usually by Dan Kaminsky.
Kaminsky is not discussing DNS this year, judging by the agendas.
The conferences were founded by Jeff Moss, aka The Dark Tangent, who joined ICANN as its chief security officer earlier this year.
.xxx domains to get free virus scans from McAfee
ICM Registry has signed up with security software outfit McAfee to provide automatic virus scanning for all web sites hosted at .xxx domain names.
Under the $8 million deal, “every .XXX domain will be scanned for vulnerabilities such as SQL injection, browser exploits and phishing sites, reputational analysis and malware”, ICM said in a press release.
The subscription, which is based on the McAfee Secure offering, will be included in the price of the domain, which is expected to start at around $75 at the cheapest registrars.
McAfee normally charges a lot more than that; ICM has basically negotiated a bulk discount for its customers.
There are two ways to take advantage of the deal.
First, webmasters can choose to put some code on their sites that displays the McAfee Secure logo, potentially increasing customer confidence and ergo sales.
McAfee reckons sales can go up by as much as 12% when sites use this “trust mark”, based on some split-testing it did a couple years ago (results may vary, it adds).
Second, because McAfee is going to automatically scan every .xxx domain every day, whether the registrant wants it or not, porn surfers will be able to use McAfee SiteAdvisor, a free browser plug-in, to verify that a .xxx site is, for want of a better word, clean.
Whether you like .xxx or not, you’ve got to admit that this probably counts as a rare example of “innovation” from a domain registry.
On the flipside, registrars that already offer such services as add-ons, such as Go Daddy, won’t get the up-sell if ICM is giving it to every registrant from the registry side.
But that doesn’t seem to have stopped any registrars from signing up to sell .xxx domains.
Oddly, the press release does not name McAfee as the service provider, but its brand is all over the ICM web site so embarrassment is probably not a factor.
McAfee currently has about 80,000 sites using the service, which could easily grow to 500,000 or more if ICM gets as many registrations as it expects to.
ICANN hires hacker Dark Tangent as security chief
Noted white-hat hacker Jeff “Dark Tangent” Moss is to join ICANN as its new chief security officer.
Moss founded the Black Hat and Def Con hacker conferences (which I highly recommend), and was once a director of firewall vendor Secure Computing.
If you’re not familiar with security lingo, “hacker” in this context means he’s one of the good guys. He’s also one of a couple dozen members of the US Department of Homeland Security’s Advisory Council.
The ICANN press release announcing the appointment (pdf) is filled with plaudits from some of the industry’s top DNS security geeks.
Paul Vixie, chairman and chief scientist of the Internet Systems Consortium is quoted as saying:
This is a great hire for ICANN. Jeff’s been in the infosec community since the dawn of time and not only knows where the weak spots are but also how they got that way, and what needs to be done and by whom. He’s the ideal person to drive ICANN’s security agenda.
He’s also been named vice-president. He starts work at the ICANN Washington DC office tomorrow.
Banks to write security rules for “.bank”
Financial services firms unhappy with ICANN’s new top-level domains program are to take matters into their own hands by writing security guidelines for TLDs like “.bank”.
BITS, the technology policy arm of the Financial Services Roundtable, said it plans to develop “elevated security standards for financial gTLDs” and wants ICANN to make them mandatory.
The organization, which counts many major world banks as members, is concerned that a “.bank” in the hands of a registry with lax security could increase fraud and reduce confidence in banking online.
BITS said its guidelines would be drafted by a globally diverse working group and submitted to an international standards-setting organization for ratification.
It wants ICANN to include a single sentence in its new TLDs Applicant Guidebook, apparently incorporating the guidelines by reference:
Evaluators will use standards published by the financial services industry to determine if the applicant’s proposed security approach is commensurate with the level of trust necessary for financial services gTLDs.
An ICANN working group is working on the concept of a High Security Zone TLD for precisely this kind of application, but in September the ICANN board abruptly decided that it “will not be certifying or enforcing” the idea, apparently in order to mitigate its own corporate risk.
The BITS project appears to be in direct response to that move.
It certainly seems to be a more productive avenue of engagement than hinting at a lawsuit, which it did in a November letter to ICANN.
I’m attempting to confirm whether the BITS plan, submitted as a response to the Applicant Guidebook public comment period, is being proposed with ICANN’s backing. (UPDATE: it isn’t.)
Beckstrom: ICANN accountable to world, not just US
ICANN chief Rod Beckstrom opened the organization’s 39th public meeting in Cartagena, Colombia, with a speech that touched on many of the organization’s recent controversies and appeared to take a strong stance against US government interference.
Everything from its political tangles with the International Telecommunications Union, to the recent calls for high-security top-level domains for financial services, to Beckstrom’s own controversial pet project, the proposed DNS-CERT, got a mention.
But probably Beckstrom’s strongest statement was the one which indirectly addressed recent moves by the US government to slam the brakes on ICANN’s new top-level domains program:
We are accountable to the world, not to any one country, and everything we do must reflect that.
Beckstrom acknowledged the controversies in the new TLDs policy, given last week’s strongly worded letter from the US Department of Commerce, which was highly critical of the program.
Commerce assistant secretary Lawrence Strickling has called on ICANN to delay the program until it has justified its decision under the Affirmation of Commitments.
But this morning, Beckstrom echoed sentiments expressed on the ICANN blog last week (my emphasis):
As is often the case with policy decisions in that multi-stakeholder model, not everyone is pleased, and this diversity of opinion contributes to the policy process. For example, last week we received a critical letter from the US Department of Commerce. As with all contributions, ICANN will give these comments careful consideration as part of the implementation of the GNSO policy. We welcome the transparent way that Commerce provided their comments through the public comment process.
How ICANN chooses to deal with the demands of its former master, the US government, is one of the Cartagena meeting’s Big Questions.
Another such question is how ICANN plans to deal with ongoing threats to its legitimacy from international bodies such as the International Telecommunications Union.
Addressing ITU secretary general Hamadoun Toure directly, Beckstrom said:
We have always sought to build our relationships based on mutual respect and integrity, taking into account the unique and distinct mandates entrusted to our organizations. The strengthening of communication between us is a personal priority for me.
Security
Security is one of ICANN’s watchwords, and Beckstrom is a security guy by trade. His speeches typically address the topic to a greater or lesser extent and Cartagena was no exception.
Security policies inherently create tensions. Take, for example, controversies about the strength and enforceability of of Whois policies, or Beckstrom’s own call for a DNS-CERT to oversee DNS risk.
This morning, he said:
The staff under my leadership is willing to go as far on security as the community is willing. And whatever security effort this community decides, we will do our utmost to implement and support, given sufficient resources. Because when it comes to security, how can we ever say we’ve done enough?
…
And now you need to tell us: where do you want us to go?
Of course, I am sure we can agree that when it comes to security, the question is not what do we want to do? Or what is popular or easy? It’s what do we owe the world? Because all of us care about the global public interest.
He took, in my view, a subtle swing at the Governmental Advisory Committee for putting security at the heart of its ongoing policy demands, while largely failing to cooperate with ICANN’s requests for information on security issues in their own jurisdictions. Beckstrom said:
We have asked GAC members to provide information about security activities in their countries. We appreciate the information some have shared but there have been few responses. As governments urge us to remain committed to security efforts, we in turn request that they help us by responding and working with the ICANN community on this vital mission.
I know there are some European ccTLD registries a bit miffed that ICANN has in recent months gone over their heads, direct to their governments, for this information, highlighting what a tricky political situation it is.
The speech also touched on internationalized domain names, with a shout-out to the recent launch of Russia’s Cyrillic ccTLD, and general global inclusion activities. I expect the text and audio to be published on the ICANN web site to be published shortly.
“Beware of Hookers”, ICANN attendees told
ICANN has published a security guide for delegates planning to attend its meeting in Cartagena, Colombia, this December, which makes quite entertaining reading.
A highlight of the report (pdf), prepared by outside consultants Control Risks, warns attendees to steer clear of bar prostitutes who plan to take advantage of them.
All travelers should avoid bars which have public touts (or “spruikers”) standing outside encouraging them to enter. Many of these bars attract high levels of local prostitutes, some who intend to rob tourists by drugging them in the bar or in their hotel rooms.
Sage advice.
The report also recommends staying off the streets after 11pm, using official taxis, keeping your wallets clean of identifying information, and not resisting muggers/abductors.
Fight for your life, but not your possessions.
I’m cherry-picking the scary stuff here, obviously. In general, the report says Cartagena is fairly safe. Last year, there were only two kidnappings in the city.
Cartagena enjoys a mostly deserved reputation as one of the safe destinations for foreign travelers in Colombia. Certainly, violent crime rarely affects foreign visitors to the city.
ICANN has said that it will commission such reports when there is a concern that security at its chosen meeting locations may not be up to scratch.
I believe the new meetings security plan was introduced in response to the vague terrorism threats that clouded the Nairobi meeting earlier this year, keeping many flighty Americans at home.
eNom to crack down on fake pharma sites
Demand Media is to tighten security at its domain registrar arm, eNom, after bad press blighted its recent IPO announcement.
The company has signed a deal with fake pharmacy watchdog LegitScript, following allegations that eNom sometimes turns a blind eye to illegal activity on its customers’ domains.
The news emerged in the company’s amended S-1 registration statement (large HTML file), filed with the US Securities and Exchange Commission yesterday. New text reads:
We recently entered into an agreement with LegitScript, LLC, an Internet pharmacy verification and monitoring service recognized by the National Association of Boards of Pharmacy, to assist us in identifying customers who are violating our terms of service by operating online pharmacies in violation of U.S. state or federal law.
LegitScript will provide eNom with a regularly updated list of domain names selling fake pharma, so the registrar can more efficiently turn them off. The companies have also agreed to work together on research into illegal online pharmacies.
Surrounding text has also been modified to clarify that eNom is not required, under ICANN rules, to turn off domains that are being used to conduct illegal activity.
This is a bit of a PR win for the small security outfits KnuJon and HostExploit, firms which had used the occasion of Demand’s S-1 filing to give eNom a good kicking in the tech and financial press.
HostExploit reported last month that eNom was statistically the “worst” registrar as far as illegal content goes.
ICANN executives are reportedly going to be hauled to Washington DC at the end of the month to explain the problem of fake pharma to the White House.
Registries and registrars have also been invited, and I’d be surprised if eNom is not among them.
Recent Comments