KSK vote was NOT unanimous
ICANN’s board of directors on Sunday voted to approve the forthcoming security key change at the DNS root, but there was some dissent.
Director Avri Doria, a Nominating Committee appointee, said today that she provided the lone vote against the DNSSEC KSK rollover, which is expected to cause temporary internet access problems for potentially a couple million people next month.
I understand there was also a single abstention to Sunday’s vote.
Doria has released a dissenting statement, in which she said the absence of an external, peer-reviewed study of the risks could prove a problem.
The greatest risk is that out of the millions that will fail after the roll over, some that are serious and may even be critical, may occur; if this happens the lack of peer reviewed studies may be a liability for ICANN, perhaps not legal, but in terms of our reputation as protectors of the stability & security of internet system of names.
She added that she was concerned about the extent that the public has been notified of the rollover plan, and questioned whether the current risk mitigation plan is sufficient.
Doria said she found comments filed by Verisign (pdf) particularly informative to her eventual vote, as well as comments from the At-Large Advisory Committee (pdf), Business Constituency (pdf) and Registries Stakeholder Group (pdf).
These groups had called for more study and data, better outreach, more clearly defined success/failure benchmarks, and more delay.
Doria noted in her dissenting statement that the ICANN board did not have a chance to quiz any of the minority of the members of the Security and Stability Advisory Committee who had called for further delay.
The board’s resolution, apparently arrived at after two hours of formal in-person discussions in Brussels at the weekend, is expected to be published shortly.
The rollover, which has already been delayed a year, is now scheduled to go ahead October 11.
Any impact is expected to be felt within a couple of days, as the change ripples out across the DNS.
ICANN says that any network operator impacted by the change has a simple fix: turn off DNSSEC. Then, if they want, they can update their keys and turn it back on again.
Empty Whois a threat to the US elections?
Could a lack of Whois records thwart the fight against attempts to interfere in this year’s US elections?
That’s the threat raised by DomainTools CEO Tim Chen in a blog post, and others, this week.
Chen points to recent research by Facebook, based on an investigation by security company FireEye, that linked a large network of bogus news sites and social media accounts to the Iranian state media.
FireEye’s investigation used “historical Whois records”, presumably provided by DomainTools, to connect the dots between various domains and registrants associated with “Liberty Front Press”, a purportedly independent media organization and prolific social media user.
Facebook subsequently found that 652 accounts, pages and groups associated with the network, and removed them from its platform.
The accounts and sites in question were several years old but had been focusing primarily on politics in the UK and US since last year, Facebook said.
Based on screenshots shared by Facebook, the accounts had been used to spread political messages bashing US president Donald Trump and supporting the UK’s staunchly pro-Palestinian opposition leader Jeremy Corbyn.
Google’s research, also inspired by FireEye’s findings and Whois data, linked the network to the state-run Islamic Republic of Iran Broadcasting.
The actions by Google and Facebook come as part of their crackdown on fake news ahead of the US mid-term Congressional elections, this November, which are are largely being seen as a referendum on the Trump presidency.
Because the domains in question predate the General Data Protection Regulation and ICANN’s response to it, DomainTools was able to capture Whois records before they went dark in May.
While the records often use bogus data, registrant email addresses common to multiple domains could be used to establish common ownership.
Historical Whois data for domains registered after May 2018 is not available, which will likely degrade the utility of DomainTools’ service over time.
Chen concluded his blog post, which appeared to be written partly in response to data suggesting that GDPR has not led to a growth in spam, with this:
Domain name Whois data isn’t going to solve the world’s cyberattack problems all on its own, but these investigations, centering on an issue of global importance that threatens our very democracy, likely get severely impaired without it. And this is just the tip of the iceberg, a few uniquely important investigations among the hundreds of thousands of cyberattacks going on all day every day all over the globe by people and organizations that can now hide behind the anonymity inherent in today’s internet. It’s reasonable that domain names used for certain commercial or functional purposes should require transparent registration information. Whois is not a crime.
DomainTools is one of the founders of the new Coalition for a Secure and Transparent Internet, a lobby group devoted to encouraging legislatures to keep Whois open.
Representatives of Facebook and Iran’s government are among the members of the Expedited Policy Development Process on Whois, an emergency ICANN working group that is currently trying to write a permanent GDPR-compliant Whois policy for ICANN.
Whois privacy did NOT increase spam volumes
The advent of more-or-less blanket Whois privacy has not immediately led to the feared uptick in spam, according to researchers.
Data from Cisco’s Talos email data service, first highlighted by security company Recorded Future this week, shows spam levels have been basically flat to slightly down since ICANN’s GDPR-inspired new Whois policy came into effect May 25.
Public Talos data shows that on May 1 this year there were 433.9 billion average daily emails and 370.04 billion spams — 85.28% spam.
This was down to 361.83 billion emails and 308.05 billion spams by August 1, an 85.14% spam ratio, according to Recorded Future.
So, basically no change, and certainly not the kind of rocketing skyward of spam levels that some had feared.
Cisco compiles its data from customers of its various security products and services.
Looking at Talos’ 18-month view, it appears that spam volume has been on the decline since February, when the ratio of spam to ham was pretty much identical to post-GDPR levels.
It also shows a similar seasonal decline during the northern hemisphere’s summer 2017.
There had been a fear in some quarters that blanket Whois privacy would embolden spammers to register more domains and launch more ambitious spam campaigns, and that the lack of public data would thwart efforts to root out the spammers themselves.
While that may well transpire in future, the data seems to show that GDPR has not yet had a measurable impact on spam volume at all.
Microsoft seizes “Russian election hacking” domains
Microsoft has taken control of six domains associated with a hacker group believed to be a part of Russian military intelligence, according to the company.
Company president Brad Smith blogged yesterday that Microsoft obtained a court order allowing it to seize the names, which it believes were to be used to attack institutions including the US Senate.
The domains in question look like they could be used in spear-phishing attacks. The are: my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com.
Historical Whois records archived by DomainTools show they were registered last year behind WhoisGuard, the Panama-based privacy service. Now, of course, the Whois records are all redacted due to GDPR.
Smith said that Microsoft believes intended targets besides the Senate also include the International Republican Institute and the Hudson Institute, two conservative think-tanks.
The company believes, though it did not show evidence, that the domains were created by the group it calls “Strontium”.
Strontium is also known as “Fancy Bear”, among other names. It’s believed to be backed by the GRU, Russia’s intelligence agency.
It’s the same group alleged members of which Special Counsel Robert Mueller recently indicted as part of his investigation into Russian meddling in the 2016 US presidential election.
“We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” Smith said in his blog post.
He added that Microsoft does not know whether the domains have been used in an attack yet.
Is the new Whois policy group already doomed to fail?
ICANN’s Generic Names Supporting Organization has set itself extremely aggressive, some might say impossible, targets for its emergency Whois policy work.
The GNSO Council on Thursday approved the charter for a new working group that will attempt to come up with a consensus policy for how to amend the Whois system in light of the EU’s General Data Protection Regulation.
But the vote was not unanimous — three of the six Non-Commercial Stakeholder Group councilors abstained largely because they think intellectual property interests have managed to capture the discussion before it has begun.
The three abstentions were independent consultant Ayden Ferdeline, cybersecurity policy researcher Tatiana Tropina, and privacy consultant Stephanie Perrin.
Tropina said during the Thursday meeting: “I cannot vote ‘yes’ for a document that in my opinion has parts that are not properly worded and, instead of setting the scope of the EPDP [Expedited Policy Development Process] work, set up multiple possibilities to get the work sidetracked.”
She and Ferdeline pointed specifically to section J of the approved charter (pdf), which addresses “reasonable access” to non-public Whois data.
This is the part of the policy work that will decide whether, and to what extent, entities such as trademark owners and cybersecurity researchers will be able to peek behind the curtain of post-GDPR personal data redactions and see who actually owns domain names.
There are several “gating” questions that the working group must answer before it gets to J, however, such as: what data should be collected by registrars, how data transfer to registries should be handled, and are the reasons for this data to be collected all valid?
But when it comes to section J, the abstaining NCSG councilors reckon that the Intellectual Property Community has managed to sneak in the notion that its members should get access to private data as a fait accompli. Section J reads in part:
What framework(s) for disclosure could be used to address (i) issues involving abuse of domain name registrations, including but not limited to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection, (ii) addressing appropriate law enforcement needs, and (iii) provide access to registration data based on legitimate interests not outweighed by the fundamental rights of relevant data subjects?
Ferdeline said in his abstention:
I believe that Section J includes, first and foremost, questions that unnecessarily expand the scope of this EPDP and put perceived answers — rather than genuine, open ended questions — into this important document. Overall I think this section of the charter’s scope is unnecessary and will not allow the EPDP team to complete their work in a timely manner.
Tropina said J “poses the questions that, first of all, imply by default that issues related to intellectual property protection and consumer protection require the disclosure of personal data”, adding that she was bewildered that IP interests had been lumped in with security concerns:
This wording fails me: as I am criminal lawyer working in the field of frameworks for cybercrime investigation, I do not see why cybercrime investigations are separated from law enforcement needs and go to the same basket with intellectual property protection as they are on a completely different level of legitimate demands
In short, the newly approved EPDP charter has been framed in such a way as to make discussions extremely fractious from the outset, pitting privacy interests against those of the trademark lobby on some of the most divisive wedge issues.
This is problematic given that the working group has an extremely aggressive schedule — its members have not yet even been named and yet it expects to produce its Initial Report shortly after ICANN 63, which ends October 25 this year.
It’s an absurdly short space of time to resolve questions that have dogged ICANN for almost two decades.
Will this pressure to come to agreement against the clock work in favor of the trademark community, or will it doom the policy-making process to deadlock?
Attempting to steer the WG through this minefield will be Kurt Pritz, who was confirmed by the Council as its neutral chair on Thursday, as DI first reported a week ago.
The make-up of the group has also proved contentious.
While it is a GNSO process that would lead to a Consensus Policy binding on all gTLD registries and registrars, the decision has been made to bring in voices from other areas of the community, such as the Country Code Names Supporting Organization, which will not be directly affected by the resulting policy.
There will be 29 members in total, not counting the non-voting chair.
The GNSO gets 18 of these seats at the table, comprising: three registries, three registrars, two IPC members, two ISPs, two Business Constituency members, six NCSG members (which, I imagine would be split between the privacy-focused NCUC and more IP-friendly NPOC).
But also joining the group on an equal footing will be two members of the Root Server System Advisory Committee (I’ve no idea why), two from the Security and Stability Advisory Committee, two from the ccNSO, two from the At-Large Advisory Committee and three from the Governmental Advisory Committee.
The actual individuals filling these seats will be named by their respective constituencies in the next few days, ahead of the first WG meeting July 30.
It has been said that these people could expect to devote north of 30 hours a week (unpaid of course, though any necessary travel will be comp’d) to the discussions.
ICANN found a zero-day hole in Adobe Connect
It’s looking like ICANN may have found a zero-day vulnerability in Adobe Connect, until recently its default collaboration tool.
The organization on Friday announced the results of a “forensic investigation” into the bug, and said it has reported its findings to Adobe, which is now “working on a software fix to address the root cause of the issue”.
If Adobe didn’t know about it, it looks rather like ICANN — or at least the unnamed member of the security advisory committee who found it — has bagged itself a zero-day.
ICANN had previously said that the glitch “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”.
The review found that the only person who exploited the bug was the person who discovered and disclosed it.
AC is used not only in ICANN’s public meetings but also, I understand, in closed sessions of ICANN staff, board and committees, where secret information is most likely to be shared.
After the bug was discovered, ICANN shut off the system and started using alternatives such as WebEx, to a mixed reception.
In the absence of an immediate patch from Adobe, ICANN has been testing workarounds and said it hopes to have two working ones deployed by May 3.
This would allow the tool to come back online in time for its board workshop, GDD Summit and ICANN 62, the organization said.
Data leak security glitch screws up ICANN 61 for thousands
A security vulnerability forced ICANN to take down its Adobe Connect conferencing service halfway through its ICANN 61 meeting in Puerto Rico.
The “potentially serious security issue” could “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”, ICANN said in a pair of statements.
Taking down the service for the remainder of the meeting, which ends today, meant that potentially thousands of remote participants were left to cobble together a less streamlined replacement experience from a combination of live streams, transcription and email.
At the last ICANN meeting, over 4,000 unique participants logged into Adobe Connect. With only 1,900 or so people on-site, we’re probably looking at over 2,000 remote participants relying on AC to take part.
At this point, it’s not clear whether ICANN has discovered a previously undisclosed vulnerability in the Adobe service, or whether it simply buggered up its implementation with sloppy configuration settings.
It’s also not clear whether the glitch has been actively exploited to expose private data, though ICANN said it was first reported by a member of the Security and Stability Advisory Committee.
ICANN said in the second of two statements issued yesterday:
The issue is one that could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room. We are still investigating the root cause of the issue. We have formulated different scenarios based on authentication, encryption, and software versions, which we are testing in a controlled fashion in attempt to replicate and understand the root cause of the issue.
We are working directly with Adobe and with our cloud service provider to learn more.
Adobe Connect is a web conferencing tool that, at least when ICANN uses it for public meetings, combines live video and transcription, PowerPoint presentation sharing, and public and private chat rooms.
I also understand that there’s also a whiteboarding feature that allows participants to collaboratively work on documents in closed sessions.
Given that everything shared in the public sessions (outside of the private chat function) is by definition public, it might be reasonable to assume that ICANN’s primary concern here is how the software is used in closed sessions.
I hear ICANN uses Adobe Connect internally among its own staff and board, where one might imagine private data is sometimes shared. Other relatively secretive groups, such as the Governmental Advisory Committee and Nominating Committee, are also believed to sometimes use it behind closed doors.
While Adobe is infamous for producing buggy, insecure software, and ICANN uses a version of it hosted by a third-party cloud services provider, that doesn’t necessarily mean this wasn’t another ICANN screw-up.
In a similar incident uncovered in 2015, it was discovered that new gTLD applicants could read attachments on the confidential portions of their competitors’ applications, after ICANN accidentally had a single privacy configuration toggle set to “On” instead of “Off” in the hosted Salesforce.com software it was using to manage the program.
Ashwin Rangan, ICANN’s CIO and the guy also tasked with investigating the Salesforce issue, has now started a probe into the Adobe issue.
Lawyer: GoDaddy Whois changes a “critical” contract breach
GoDaddy is in violation of its ICANN registrar contract by throttling access to its Whois database, according to a leading industry lawyer.
Brian Winterfeldt of the Winterfeldt IP Group has written to ICANN to demand its compliance team enforces what he calls a “very serious contractual breach”.
At issue is GoDaddy’s recent practice, introduced in January, of masking key fields of Whois when accessed in an automated fashion over port 43.
The company no longer shows the name, email address or phone number of its registrants over port 43. Web-based Whois, which has CAPTCHA protection, is unaffected.
It’s been presented as an anti-spam measure. In recent years, GoDaddy has been increasingly accused (wrongly) of selling customer details to spammers pitching web hosting and SEO services, whereas in fact those details have been obtained from public Whois.
But many in the industry are livid about the changes.
Back in January, DomainTools CEO Tim Chen told us that, even as a white-listed known quantity, its port 43 access was about 2% of its former levels.
And last week competing registrar Namecheap publicly complained that Whois throttling was hindering inbound transfers from GoDaddy.
Winterfeldt wrote (pdf) that “nothing in their contract permits GoDaddy to mask data elements, and evidence of illegality must be obtained before GoDaddy is permitted to throttle or deny
port 43 Whois access to any particular IP address”, adding:
The GoDaddy whitelist program has created a dire situation where businesses dependent upon unmasked and robust port 43 Whois access are forced to negotiate wholly subjective terms for access, and are fearful of filing complaints with ICANN because they are reticent to publicize any disruption in service, or because they fear retaliation from GoDaddy…
This is a very serious contractual breach, which threatens to undermine the stability and security of the Internet, as well as embolden other registrars to make similar unilateral changes to their own port 43 Whois services. It has persisted for far too long, having been officially implemented on January 25, 2018. The tools our communities use to do our jobs are broken. Cybersecurity teams are flying blind without port 43 Whois data. And illegal activity will proliferate online, all ostensibly in order to protect GoDaddy customers from spam emails. That is completely disproportionate and unacceptable
He did not disclose which client, if any, he was writing on behalf of, presumably due to fear of reprisals.
He added that his initial outreaches to ICANN Compliance have not proved fruitful.
ICANN said last November that it would not prosecute registrar breaches of the Whois provisions of the Registrar Accreditation Agreements, subject to certain limits, as the industry focuses on becoming compliant with the General Data Protection Regulation.
But GoDaddy has told us that the port 43 throttling is unrelated to GDPR and to the compliance waiver.
Masking Whois data, whether over port 43 or not, is likely to soon become a fact of life anyway. ICANN’s current proposal for GDPR compliance would see public Whois records gutted, with only accredited users (such as law enforcement) getting access to full records.
Registries reject lower fees for anti-abuse prowess
Registries have largely rejected a proposal for them to be offered financial incentives to lower the amount of abuse in their gTLDs.
That’s despite the idea gaining broad support from governments, intellectual property interests and restricted-registration registries.
The concept of ICANN offering discounted fees to registries that proactively fight abuse was floated by the Competition, Consumer Trust, and Consumer Choice Review Team (CCT) back in November.
It recommended in its draft report, among other things:
Consider directing ICANN org, in its discussions with registries, to negotiate amendments to existing Registry Agreements, or in negotiations of new Registry Agreements associated with subsequent rounds of new gTLDs to include provisions in the agreements providing incentives, including financial incentives for registries, especially open registries, to adopt proactive anti-abuse measures.
“Proactive” in this case would mean measures such as preventing known bad actors from registering domains, rather than just waiting for complaints to be filed.
Given that registries have been calling for lower ICANN fees in other instances, one might expect to see support from that constituency.
However, the Registries Stakeholder Group said in a document filed to ICANN’s public comment period on the CCT’s latest recommendations that, it “opposes” the idea of such financial incentives. It said:
The RySG supports recognizing and supporting the many [registry operators] that take steps to discourage abuse, but opposes amending the RA as recommended, to mandate or incentivize ‘proactive’ anti-abuse measures.
The RySG complained that such a system would require lots of complex work to arrive at a definition of abuse and what kinds of measures would qualify as “proactive”.
Even if such definitions could be found, and amendments to the standard RA successfully negotiated, there’s still no guarantee that bad registries would sign up for the incentives or stick to their promises, “resulting in no net improvement to the current situation”, the RySG said.
The group is also concerned that adding more anti-abuse clauses to the RA could increase registries’ risk of liability should they be sued over abuse carried out by their customers.
Not all registries agreed with the RySG position, however.
The informal Verified Top-Level Domains Consortium, which comprises the two registries behind .bank, .insurance and .pharmacy, filed comments supporting the proposal.
It said that gTLDs with vetted eligibility requirements see no abuse but have lower registration volumes and therefore pay higher ICANN fees on a per-domain basis. It said:
ICANN should help to offset these costs to create a more level playing field with high-volume unrestricted registries, i.e., to enhance competition as well as consumer trust. If ICANN made it more financially advantageous to verify eligibility, other registries may be encouraged to adopt this model. The outcome would be the elimination of abuse in these verified TLDs.
Outside of the industry itself, the Governmental Advisory Committee and IP interests such as the Intellectual Property Constituency and INTA, filed comments supporting anti-abuse incentives.
The IPC “strongly” supported the recommendation, but added that the finer details would need to be worked out to ensure that lower ICANN fees did not translate automatically to lower registration fees and therefore more abuse.
Shocking nobody, it added that “abuse” should include intellectual property infringements.
Conversely, the Non-Commercial Stakeholders Group said it “strongly” opposes the recommendation, on the basis that it would push ICANN into a “content policeman” role in violation of its technical mandate:
ICANN is not a US Federal Trade Commission or an anti-fraud unit or regulatory unit of any government. Providing guidance, negotiation and worse yet, financial incentives to ICANN-contracted registries for anti-abuse measures is completely outside of our competence, goals and mandates. Such acts would bring ICANN straight into the very content issues that passionately divide countries — including speech laws, competition laws, content laws of all types. It would invalidate ICANN commitments to ourselves and the global community. It would make ICANN the policemen of the Internet, not the guardians of the infrastructure. It is a role we have sworn not to undertake; a role beyond our technical expertise; and a recommendation we must not accept.
Also opposed to incentivizing anti-abuse measures was the Messaging, Malware and Mobile Anti-Abuse Working Group (an independent entity, not an ICANN working group), which said there’s no data to support such a recommendation.
The reports provide no data that showcase what the implications of altering the economic underpinnings of a highly competitive market may entail, including inadvertent side effects such as registries that already sell low price domains being rewarded with lower ICANN fees. In fact, it may ultimately result in a race to the bottom and higher rates of domain abuse.
Instead, M3AAWG said that ICANN should concentrate is contractual compliance efforts on those registries that the data shows already have large amounts of abuse — presumably meaning the likes of .top, .gdn and the Famous Four Media stable.
ICANN itself filed a comment on the proposal, pointing out that it is not able to unilaterally impose anti-abuse measures into registry agreements.
One imagines that lowering fees at a time when its own budget is under a lot of pressure would probably not be something ICANN would be eager to implement.
These comments and more were summarized in ICANN’s report on the CCT public comment period, published yesterday. The comments themselves can be found here.
The comments feed back into the CCT review team’s work ahead of its final report, which is due to be published some time during Q1.
Under its bylaws, the CCT review is one of the things that ICANN has to complete before it opens the next round of new gTLD applications.
Root crypto rollover now slated for October
ICANN has penciled in October 11 as the new date for rolling the DNS root’s cryptographic keys, a delay of a year from its original plan.
The so-called KSK rollover will see ICANN remove the deprecated 2010 Key Signing Key, leaving only the 2017 KSK active.
The KSK acts as the “trust anchor” for DNSSEC across the whole internet.
After the rollover, any network not configured to use the latest KSK would see a service interruption.
This could mean many millions of internet users being affected, but ICANN doesn’t know the extent of the possible impact for sure.
ICANN told us in November that it knows of 176 organizations in 41 countries, fairly evenly spread across the globe, that are currently not prepared to handle the new KSK.
But its data is patchy because only a tiny number of DNS resolvers are actually configured to automatically report which KSKs they’re set up to use.
Key rollovers are recommended by DNSSEC experts to reduce the risk of brute force attacks against old keys. At the root, the original plan was to roll the keys every five years.
ICANN had named October 11 2017 as the date for the first such rollover, but this was pushed back to some time in the first quarter after ICANN became aware of the lack of support for the 2017 KSK.
This was pushed back again in December to Q3 at the earliest, after ICANN admitted it still didn’t have good enough data to measure the impact of a premature roll.
Since then, ICANN has been engaged in (not always successful) outreach to networks it knows are affected and has kicked off discussions among network operators (there’s a fairly lively mailing list on the topic) to try to gauge how cautious it needs to be.
It’s now published an updated plan that’s the same as the original plan but with a date exactly one year late — October 11, 2018.
Between now and then, it will continue to try to get hold of network operators not ready to use the new keys, but it’s not expecting to completely eliminate damage. The plan reads:
Implicit in the outreach plan is the same assumption that the community had for the earlier (postponed) plan: there will likely be some systems that will fail to resolve names starting on the day of the rollover. The outreach will attempt to minimize the number of affected users while acknowledging that the operators of some resolvers will be unreachable.
The plan is open for public comment and will require the assent of the ICANN board of directors before being implemented. You have until April 2 to respond.
Recent Comments