News and Updates

MERGE! Announces a Half-Dozen Additions to Speaker's Roster for 2018 Conference in Orlando

DN Journal - Fri, 2018-06-22 22:36
The 2nd annual MERGE! conference - coming to Orlando in September - continues to take shape with 6 new additions to the speaker's roster today.
Categories: News and Updates

Access to Safe and Affordable Prescription Medications Online is a Human Right

Domain industry news - Fri, 2018-06-22 15:19

I recently served on a panel at the Toronto RightsCon 2018 conference (Making Safe Online Access to Affordable Medication Real: Addressing the UN Human Rights resolution for access to essential medicines), where I represented the perspective of Americans struggling to afford their daily medications and desperate to have safe, affordable Internet access to their prescriptions.

These Americans may not understand the inner workings of the Internet, but they do understand its mission of providing global access to information, products, and services. They know there are "bad actors" out there, as there are in any segment of our society. They also know how to find the legitimate pharmacies, and get the medications they need, at prices they can pay.

We can usually find fair prices for the things we need in a marketplace close to home, but prescription drugs in the U.S. are not fairly priced. The global marketplace available through the Internet can provide patients with fair prices for life-saving prescription medications.

However, there are people who use "rogue pharmacies" to scare patients, while at the same time maintaining the exorbitantly high cost of prescription medications. This is an ongoing, serious health crisis for many Americans who are desperate for relief and want the government to act.

The cost of prescription medications is higher in the U.S. than any other country in the world because there are no restrictions or limitations on how much companies can charge, so these "big pharma" global giants charge 'whatever the market will bear.'

These companies can increase the price of medications for any reason… or no reason whatsoever. Many people are then forced to choose between their medications and gas, food, or even their mortgage. Or, they skip doses, split pills, or forgo medications completely.

In fact, an estimated 35 million Americans fail to adhere to their prescribed drug regimens due to cost, according to a Commonwealth Fund study.[1] In another study by the Harvard School of Public Health and Kaiser Health Foundation, 50 percent of Americans said they couldn't afford medication and became sicker as a result of not taking medicine.[2]

Once again at RightsCon, it was well-noted that for years, millions of Americans facing this crisis have purchased their prescriptions from licensed, legitimate Canadian pharmacies that provide a lifeline to those in need of affordable and often life-saving daily medications. But once again, more misleading information along with impractical registration criteria seek to erode patients' trust in licensed, legitimate online pharmacies that have chosen not to register or are blocked from using a .Pharmacy domain name.

Clearly, only licensed, legitimate online pharmacies should be able to sell prescription medications upon receipt of a valid prescription and with adherence to proper safety protocols. However, neither the location of the licensed pharmacy, the domain it uses, nor the location of the patient should impact affordability or access.

After all, the Internet was created to expand freedoms, protect human rights and build a global community. Internet protocols and policies must reflect the realities of how people use the Internet today because the Internet is, in some cases, the only access patients have to affordable maintenance medications.

We believe the Internet community can and should protect access through policymaking that embraces safe, legitimate pharmacy websites regardless of their location and domain name. To do otherwise is to allow the Internet to be used as a tool for censorship.

As an advocacy organization that fights for everyday Americans, we believe that access to safe and affordable prescription medications should not be a privilege reserved for the wealthy among us. Instead, we believe it is a human right and, therefore, must be protected through cyber policymaking, effective Internet governance, and updated amendments to outmoded laws so that such policies truly meet the needs of patients.

This is a critical time for protecting our human rights at its intersection with digital technology. As a global Internet community, we must stand up to those who are using the Internet to restrict options that support and protect fair access to medicines.

All Americans deserve access to safe and affordable medications.

[1] Commonwealth Fund: http://www.commonwealthfund.org/~/media/files/publications/issue-brief/2015/jan/1800_collins_biennial_survey_brief.pdf

[2] Harvard School of Public Health and Kaiser Health Foundation: https://kaiserfamilyfoundation.files.wordpress.com/2013/01/7371.pdf

Written by Tracy Cooley, Executive Director, Campaign for Personal Prescription Importation

Follow CircleID on Twitter

More under: Domain Names, Internet Governance, Web

Categories: News and Updates

The “disclosure” on this fake domain renewal notice is hilarious

Domain Name Wire - Fri, 2018-06-22 14:33

Senders of misleading email specifically disclaim that it’s misleading.

Domain Name Wire readers have surely received lots of fake renewal notices telling them they must pay or lose their domain name. Or, at least mislead them into thinking that.

This all ends up in my spam folder, but when I was clearing out that folder this week I decided to open one of the emails. I read the tiny fine print at the bottom and it gave me a laugh.

Here’s the email:

If you look carefully at the email you’ll see some tiny, light grey print at the bottom. It starts out with a fairly typical email disclaimer:

PLEASE NOTE:
This Email contains information intended only for the individuals or entities to which it is addressed. If you are not the intended recipient or the agent responsible for delivering it to the intended recipient, or have received this Email in error, please notify immediately the sender of this Email at the Help Center and then completely delete it. Any other action taken in reliance upon this Email is strictly prohibited, including but not limited to unauthorized copying, printing, disclosure, or distribution.

The disclaimer buries the lede. If you read on, it says you aren’t renewing your domains, just an “optimization” service for your “webside” (sic).

We do not register or renew domain names. This is not a bill or an invoice. This is a optimization offer for your webside. You are under no obligation to pay the amount stated unless you accept this purchase offer.

Then it talks about how the email complies with CAN-SPAM. It’s the second sentence that cracks me up:

Promotional material is stricly (sic) along the guidelines oft he can-spam act of 2003. They are in no way misleading.

Here’s a hint: if you have to tell people that your email is not misleading, it probably is.

Oh, by the way, I “elected to recieve notificaton (sic) offers” according to the email.

Gmail caught this email and put it in spam, warning that the link had been used to steal information. The link uses a .top domain…imagine that!

© DomainNameWire.com 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) domainnamewire.com. Latest domain news at DNW.com: Domain Name Wire.

Related posts:
  1. Domain Renewal Scam Picks Up Speed
  2. FTC Settles with Con Artists in Domain Name Renewal Scam
Categories: News and Updates

Regional court in Germany to reconsider Whois data GDPR case

Domain Name Wire - Fri, 2018-06-22 12:41

Court exercises its option to re-evaluate its ruling before kicking appeal up to higher court.

A German court that ruled against an injunction last month in a Whois data dispute will reconsider its decision.

ICANN filed a legal action in Bonn after domain name registrar EPAG, which is owned by Tucows (NASDAQ: TCX), informed ICANN that it would no longer collect Admin and Tech contact information on domain registrations. EPAG made this decision based on its interpretation of the General Data Protection Regulation (GDPR).

The court denied ICANN’s request for an injunction that would have forced EPAG to continue collecting this data.

ICANN subsequently appealed the decision to a higher court.

The original court has the option to re-evaluate its decision before forwarding the case to the higher court. It has exercised this option and asked EPAG to comment on ICANN’s appellate papers.

This doesn’t necessarily mean that the lower court thinks it erred in its original decision.

EPAG is due to respond to the court within two weeks.

© DomainNameWire.com 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) domainnamewire.com. Latest domain news at DNW.com: Domain Name Wire.

Related posts:
  1. Domain investors risk being left out of Whois discussion
  2. GDPR will make domain name transfers more difficult
  3. ICANN files legal action against Tucows registrar over GDPR
Categories: News and Updates

Domain Registrars Fined Over $2M for Scamming Australians

Domain industry news - Thu, 2018-06-21 17:31

The Federal Court has penalized two related companies, Domain Corp Pty Ltd and Domain Name Agency Pty Ltd, for tricking Australians out of a total of $2.3 million. Dan Pearce reporting in Lexology writes: "During a period spanning from November 2015 to April 2017, the Australian Competition and Consumer Commission (ACCC) had received a multitude of complaints against the two Domain Companies. During this period, over 300,000 unsolicited notices were sent to businesses requesting renewal of domain names. However, while these notices appeared to be renewal notices for existing domain names, they were actually notices for the registration of new domain names. This resulted in many businesses unwittingly signing up for a new domain name ending in a '.net.au' or a '.com' suffix that the business may not have needed or wanted."

Follow CircleID on Twitter

More under: Domain Names, Law

Categories: News and Updates

ACLU Released Guide for Developers on How to Respond to Government Demands That Compromise Security

Domain industry news - Thu, 2018-06-21 17:13

It is not uncommon for government agents to force technology companies to create or install malicious software in products in order to help them with surveillance. The American Civil Liberties Union (ACLU) has released a guide for developers that is intended to help preserve security and customers' privacy. ACLU says: "The likelihood that government actors may attempt to force software makers to push out software updates that include malware designed to obtain data from targeted devices grows as more companies secure their users' data with encryption. And, as companies close other technological loopholes, there will be increased pressure on law enforcement to find alternate vulnerabilities to exploit. ... You have the right to say no to requests that are not backed up by a court order. But by obtaining a court order demanding technical assistance, the government might try to compel you to install malware on a user's machine as a software update that appears to be entirely ordinary, and that comes directly from you. You have a right to challenge these orders in court."

Follow CircleID on Twitter

More under: Cybersecurity, Law, Privacy

Categories: News and Updates

In a classic Plan B UDRP, two panelists don’t find RDNH

Domain Name Wire - Thu, 2018-06-21 16:25

One panelist calls it a “clear” case of RDNH, two others decline to find RDNH.

A lot of reverse domain name hijacking decisions have been handed down in UDRP cases this week. Surprisingly, the majority of panelists in a dispute over CLH.com did not find the filing an abuse of the proceedings, and their reason is even more surprising.

Compañía Logística de Hidrocarburos CLH S.A. filed the case against a domain name investor who acquired CLH.com in July 2017.

The complainant had been trying to buy the domain since 2015 before the current owner bought it for $32,000. After multiple failed purchase attempts if filed the UDRP.

In the decision, panelists Clive N.A. Trotman and Reyes Campello Estebaranz discussed how the case has many of the hallmarks of RDNH: the complainant tried to buy the domain and filed a UDRP when it couldn’t, and CLH is a common acronym.

But they decided against RDNH, writing “Alternative views as to the legitimacy of speculation in domain name have been debated since the early days of the Policy…”

In other words, because the owner was a domain investor, they didn’t feel it was right to find RDNH.

This isn’t the first time Clive Trotman has made a questionable decision in a UDRP.

Panelist Neil Anthony Brown QC, in a dissent, said this is an obvious case of RDNH:

…In the present case, the Complainant’s case shows that it must have known it could not prove any element in the case other than the nominal requirement that it ‘has’ a trademark. Indeed, this case must be unique in the annals of domain name cases as not only does the Complainant not offer any evidence that the Respondent registered and used the domain name in bad faith but it does not allege it in any understandable way. In fairness to the Complainant, it ‘deems’ it to be so, but deeming it to be so is not evidence and it does not raise any inference or even suspicion that the domain name was registered and used in bad faith. Accordingly, as the Complainant adduced no evidence on that issue, it must have been very clear to the Complainant that it could not prove either prong of the important element of bad faith. Despite that, it alleged bad faith against the Complainant which, in any event, should not be alleged unless there is some reasonable ground for doing so.

Nor, with respect to the equally important element of rights and legitimate interests, was there any evidence offered to show that the Respondent might have done something untoward that would negate its obvious right to register a domain name which, according to the Respondent’s evidence, and as the Complainant could easily have ascertained, a good slice of the international commercial community was also using.

Instead, the Complainant’s case was substantially if not solely that it had a trademark. Even that issue is couched in a manner that does not help the Complainant’s case, either in general or on the specific issue now under consideration, as it seeks to invest that trademark with almost magical powers that it cannot possess. The Complainant’s case was that its trademarks, for it has several of them, “’shall extend to any type of goods, service or activities” and apparently anywhere in the world, including beyond Spain which is clearly where the Complainant has its principle business. For present purposes, that type of allegation is open to the inference that it is being made to harass or intimidate the domain name holder.

In addition, the history of the Complainant’s sustained efforts to buy the domain name shows that it has never believed it had an entitlement to it. It is also clear that after failing to buy the domain name, it turned to Plan B, which was to file the present claim. That approach has rightly been regarded by many panellists as raising a case for a finding of Reverse Domain Name Hijacking, as it shows the Complainant’s allegations were not genuine but were a recent invention.

In the present case, as in all such cases, the Panel has to decide what, in substance, was the intention and motivation of the Complainant in bringing the claim and on all considerations the Complainant must have known that this was a claim that, on the facts known to the Complainant, should never have been brought. The case for finding Reverse Domain name hijacking is therefore made out. Moreover, it is not a borderline case but a clear one.

© DomainNameWire.com 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) domainnamewire.com. Latest domain news at DNW.com: Domain Name Wire.

Related posts:
  1. Non-Profit Urban Logic Guilty of Reverse Domain Name Hijacking
  2. Dubai Law Firm Nailed for Reverse Domain Name Hijacking
  3. Telepathy scores $40,000 from reverse domain name hijacking case
Categories: News and Updates

Web.com to go private in $2 billion acquisition

Domain Name Wire - Thu, 2018-06-21 13:43

Siris Capital to acquire domain name and web presence company for $25 per share.

Web.com (NASDAQ:WEB), the parent company of domain name registrars Network Solutions and Register.com, has agreed to be acquired by an affiliate of Siris Capital Group in a $2 billion deal.

Shareholders will get $25.00 per share; shares closed yesterday at $23.20. It’s a 30% premium over the 90-day volume-weighted average price for Web.com shares.

Web.com may shop for a better offer between now and August 5. It expects the transaction to close in Q4.

Once the deal is completed, Web.com will be a private company no longer traded on the NASDAQ.

The company is going through a difficult transition that has caused its short-term numbers to dip. Going private will help the company avoid short-term efforts to appease investors.

Siris Capital has taken other companies private in similar deals, such as Polycom and Digital River.

© DomainNameWire.com 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) domainnamewire.com. Latest domain news at DNW.com: Domain Name Wire.

Related posts:
  1. Web.com: WebLock program will be opt-in, not opt-out
  2. Domain search progressing, but still not ready for new top level domain names
  3. Web.com gets Whois Privacy patent
Categories: News and Updates

Walker Edison Furniture Company hit with RDNH…again

Domain Name Wire - Thu, 2018-06-21 12:32

Time to hire a new lawyer.

Walker Edison Furniture Company or its attorney, J. Dustin Howell of Workman Nydegger, clearly doesn’t understand the Uniform Domain Name Dispute Resolution Policy (UDRP).

Last month it was found to have engaged in reverse domain name hijacking over the domain name ForestGate.com. Now the same finding has been handed down in a case it brought against the domain name ManorPark.com.

The complainant apparently doesn’t understand (or ignored) the fact that you can’t claim cybersquatting when the registration of a domain name pre-dates your trademark. In this case, it appears that Walker Edison just recently started selling a product line under the Manor Park brand. It filed an intent-to-use trademark application earlier this year.

Also, the domain name has been in use promoting Manor Park Guaranteed Investment Funds Limited, so it clearly wasn’t registered in bad faith and the owner has a legitimate interest in the domain name.

The domain owner says that Walker Edison first tried to by the domain name before it filed the UDRP.

© DomainNameWire.com 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) domainnamewire.com. Latest domain news at DNW.com: Domain Name Wire.

Related posts:
  1. Non-Profit Urban Logic Guilty of Reverse Domain Name Hijacking
  2. Dubai Law Firm Nailed for Reverse Domain Name Hijacking
  3. Telepathy scores $40,000 from reverse domain name hijacking case
Categories: News and Updates

.CO Stars on the Latest Domain Sales Chart Claiming the Top Spot and Tying for #2

DN Journal - Thu, 2018-06-21 03:04
.CO has had a good run since the re-purposed ccTLD started marketing itself as an abbreviation for "company" but it made an especially big splash this week.
Categories: News and Updates

35 end user domain name sales up to $125,000

Domain Name Wire - Wed, 2018-06-20 16:48

Sedo has facilitated lots of end user domain name sales so far this month.

It’s been three weeks since I did an end user sales list. I’ve been putting it off thanks to what has happened to Whois records as a result of GDPR. In reviewing the past few weeks’ of data today, I came up with a process to continue publishing end-user sales information despite restricted Whois.

(In fact, if you are interested in becoming my end user report writer, I will train you how to do this and pay you to create the weekly post. Some WordPress publishing knowledge is required. If you’re interested, contact me at andrew (at) domainnamewire.com.)

Sedo has had some strong sales this month, including Flo.com for six figures. Also note the purchase by Express Scripts, the 25th largest publicly traded company in the United States. It’s a big list, so let’s get to it!

(You can view previous lists like this here.)

Flo.com €109,160 – Flo is an electric vehicle charging service.

WSB.com $85,000 – Washington Speakers Bureau bought its acronym.

Feed.co $85,000 – I’m not sure who the buyer is, but this is an end user price.

SecureChain.com $30,000 – SecureChain is a blockchain company that maintains SecureCoin.

eFounders.com $27,500 – eFounders is a business incubator.

Supervisor.com €22,000 – I can’t tell for sure because of GDPR’d Whois records, but I believe that Supervisor.cloud upgraded to Supervisor.com.

CandyPay.com $20,000 – The website resolves to a mobile payments company in China.

Sofortpay.com €10,000 – FinTecSystems GmbH is a German company that provides banking APIs and data analysis.

HomePick.com $8,000 – HomePick is a courier service in South Kora.

Nevax.com $7,140 – Nevax is a tissue brand from Essity Hygiene and Health AB.

Life.club $7,000 – GEDANKENtanken GmbH bought this domain and is promoting a personality test.

Mcwellness.com $6,450 – The domain forwards to Mcwellness.de, which is a day spa website.

Way.fr €5,999 – This is a domain hack for the ecommerce company Wayfair.

JSL.net $5,888 – JSL Software uses the domain name JSL.com.

Triodor.com $5,500 – Triodor software is a tech company creating technologies such as solutions for the Industrial Internet of Things.

NanoCable.com $5,000 – CirrusGH Technology is a tech company with a product called NanoCable.

Afinis.com $4,945 – National Automated Clearing House Association, an electronic payments association. I don’t see any services associated with NACHA called Afinis, so this might be something new.

ScriptVision.com $4,800 – Fortune 100 pharmacy company Express Scripts.

MysteryMinds.com $3,700 – This is a really cool concept. MysteryMinds operates Mystery Lunch, which connects people at a company for networking.

ChristChurch.us $3,588 – Christ Church is a church in Illinois.

Amirco.com $3,500 – Amirco is a business logistics company.

SitePro.net $3,450 – SitePro is a website builder and domain registration business.

CampbellSolutions.com $3,260 – The buyer’s last name is Campbell.

Curanova.com $3,000 – Curanova AG is a real estate company that uses the domain name Curanova.ch.

PixFix.com $2,999 – PixFix fixes images that have been damaged by noise or JPEG compression.

LiveLib.com £2,998 – LitRes Ltd is an ebook company in Russa.

SaratogaRacecourse.com $2,850 – This is for a horse racing site.

Knowhoo.com $2,750 – Knowhoo Quickfinder LImited is a company incorporated in the UK last month.

Vibux.com $2,700 – Vibux is a Building Information Modeling (BIM) company.

LoveYourLiver.com $2,577 – This is a forward for de-liver-ance.com, the name of a product that is a supplement for liver health. Gee, think they had a problem with their domain name?

GolfPlatz.com €2,500 – The domain name forwards to a page on mygolf.ch titled “golfplaetze-schweiz”.

WeddingCinema.com $2,500 – The buyer operates a wedding videography service.

CarDog.com $2,500 – CarDog offers CRM and other Saas solutions.

Puppetize.com $2,460 – It appears that Oracle’s DYN acquired the domain.

SoundBit.com €2,050 – Soundbit appears to be a new music service launching soon.

© DomainNameWire.com 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) domainnamewire.com. Latest domain news at DNW.com: Domain Name Wire.

Related posts:
  1. What domain names Mozilla and others bought last week
  2. What domain names Goldman Sachs and others bought this week
  3. More end user domain name sales
Categories: News and Updates

Mechoshade busted for reverse domain name hijacking

Domain Name Wire - Wed, 2018-06-20 12:45

Window shading company filed cybersquatting complaint that had “no chance whatsoever of success”.

Mechoshade Systems, LLC, which goes by the name MechoSystems, has been found to have engaged in reverse domain name hijacking for the domain name Mecho.com.

The window shading and coverings company filed a cybersquatting dispute against Mecho Investments, which registered the domain name in 1999. The domain was registered primarily for the family’s personal and business email addresses. It chose the domain based on a family nickname and provided evidence of use for email addresses.

Upon seeing Mecho Investment’s response to the complaint, MechoSystems decided to double down rather than admit that its case was busted. National Arbitration Forum panelist David Bernstein found that the case was filed in bad faith in an abuse of the UDRP. He wrote:

…Respondent is correct that Complainant’s allegations are so weak that Complainant must have known – and at the minimum should have known – that its Complaint had no chance whatsoever of success.

On its face, the Complaint was woefully deficient. Its allegations of bad faith were themselves insufficient, and even in the absence of a Response, would have led to the rejection of this Complaint.

Complainant compounded its bad faith with its additional submission. In its Response, Respondent persuasively explained the origin of Respondent’s use of “mecho’” in the Domain Name (it was Mr. Ramirez’s grandmother’s nickname), provided proof of its legitimate use of the Domain Name, denied any knowledge of Complainant’s trademark rights (which itself eviscerates any possible finding of bad faith registration), and credibly showed that there was no bad faith use of the Domain Name (either under the examples listed in the Policy or otherwise). Instead of acknowledging these points, Complainant continued to pursue this case, including with the frivolous and demonstrably incorrect argument that use of a Domain Name for purposes of a family email address is not a legitimate interest…

…At the bare minimum, after receipt of Respondent’s Response, Complainant knew or ought to have known that Respondent has rights or legitimate interests in the Domain Name, and that Respondent’s registration and use of the Domain Name could not, under any fair interpretation of the available facts, been undertaken in bad faith. Yet Complainant nevertheless persisted with its Complaint.

Mechoshade was represented by Ryan D. Ricks, a partner at Snell & Wilmer who specializes in intellectual property law. It’s surprising to see someone who specializes in IP file such a baseless UDRP.

© DomainNameWire.com 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) domainnamewire.com. Latest domain news at DNW.com: Domain Name Wire.

Related posts:
  1. Non-Profit Urban Logic Guilty of Reverse Domain Name Hijacking
  2. Dubai Law Firm Nailed for Reverse Domain Name Hijacking
  3. Telepathy scores $40,000 from reverse domain name hijacking case
Categories: News and Updates

Why You Must Learn to Love DNSSEC

Domain industry news - Wed, 2018-06-20 03:28

It's been nearly two months since the high profile BGP hijack attack against MyEtherwallet, where crypto thieves used BGP leaks to hijack MEW's name servers, which were on Amazon's Route53, and inserted their own fake name servers which directed victims to their own fake wallet site, thereby draining some people's wallets.

It generated a lot of discussion at the time, however, it's largely died down now, and people are content to carry on with their lives. What isn't fully appreciated is that attack has, in fact, changed the game somewhat, and this means we all have to reevaluate our assessment of DNSSEC.

Why does DNSSEC factor into a hack that was executed via BGP hijacks? Well here's the bad news, while it's debatable how easy it is to execute BGP hijacks, there is no defined security protocol in place to prevent it. Really. Last year easyDNS had some of our own IP space hijacked and it took us about a week to get it straightened out. Thank God it was unused space, but the entire episode had me realize how loose the authentication of routing announcements really is. There's some talk around implementing RPKI but it's a long way off, if ever.

That leaves us with DNSSEC as our main line of defence against these attacks, of which there are certainly bound to be more.

Had MyEtherwallet DNSSEC signed its zone, and further, used TLSA pinning for their TLS certs, this attack would have been largely mitigated. Two of the resolver services which picked up the fake IP addresses for MEW were Google Public DNS and Cloudflare's 1.1.1.1, both DNSSEC aware resolvers which would have instead returned failures instead of fake addresses.

Until now though,

DNSSEC hasn't really caught on for two reasons:

First, historically speaking, old style DNS poisoning attacks (not using BGP leaks) were theoretically possible but not commonplace. Even without DNSSEC name servers started adding mechanisms like source port randomization and it made it increasingly harder to pull off cache poisoning.

Second, DNSSEC wasn't easy to implement, and it wasn't exactly "set-and-forget". Worse, if you did it wrong like screwed up one of your key rollovers, you would hose your own zone. There is even a website that keeps track of high profile outages stemming from botched DNSSEC rollovers. It includes numerous entire TLD namespaces, the US military and even ISC, opendnssec.org and dnssec-tools.org, organizations that are chief advocates behind DNSSEC. Talk about the cobbler's children have no shoes!

It's no surprise then that businesses were reluctant to DNSSEC sign their zones because when they did the calculus, they thought they were more likely to experience a self-inflicted outage via DNSSEC misconfiguration than from having an attacker successfully poison or spoof their zone.

Aside from the difficulty in implementing and maintaining DNSSEC, there are also ideological objections. Those include the ideas that DNSSEC is simply flawed, insecure or doesn't solve anything because of the centralized nature of DNS' inverted-tree hierarchy.

A standard bearer for anti-DNSSEC deployment is posting called Against DNSSEC. It raises numerous objections to DNSSEC, some more tenable than others. Not long after, one of our developers, Zach Lym posted a response to it entitled For DNSSEC which rebutted the earlier post point-for-point. Both posts were at some point added to the Wikipedia DNSSEC citations section as embodying the opposite views to the issue.

In my mind the anti-DNSSEC article didn't age well, considered with this addendum to that post's mini-FAQ:

"What's the alternative to DNSSEC?

Do nothing. The DNS does not urgently need to be secured.

All effective security on the Internet assumes that DNS lookups are unsafe. If this bothers people from a design perspective, they should consider all the other protocol interactions in TCP/IP that aren't secure: BGP4 advertisements, IP source addresses, ARP lookups. Clearly, there is some point in the TCP/IP stack where we must draw a line and say "security and privacy are built above this layer". The argument against DNSSEC simply says the line should be drawn somewhere higher than the DNS."

This is bad advice. Because BGP leaks are now a thing (Cloudflare's 1.1.1.1 was briefly BGP hijacked the morning I typed this), doing nothing is no longer an option. Since RPKI isn't widespread now and the routing experts I talked to say it may never be able to scale. Since it is a certainty that more high profile, damaging and lucrative BGP hijacks are certain to follow, at this moment DNSSEC is the only game in town to defend against this kind of an attack.

Those who are operating their own ASNs can certainly use something like BGPmon or Artemis, and it's better to have route monitoring enabled than not, but that's still a matter of how fast your peers can slam the barn door shut after the horse is away. You want all of your key assets to not resolve to fake values, even for a moment, because there are ways attackers can use that brief window of time to promulgate fake DNS values that will last much much longer than the duration of the attack itself, days, weeks — a year.

Another criticism of DNSSEC is that because it relies on DNS, which is itself an inverted tree with a logically centralized root node, it is a "government or state" security system. Well, sure, in the sense that there exists an internet root and it is overseen by an entity at the discretion of a nation state, that much is true. But as much as I'm into decentralization, zero-knowledge systems, and even ideologically identify as an anarcho-capitalist, there is the practical reality that there is no clear path from where we are now to a fully decentralized anarcho utopia. Even if there is, it'll be a multi-generational slog to get there.

Eschewing the one defence we have against an attack variant that poses an existential threat to anybody whose livelihood depends on being visible over the Internet today is pretty much tilting at windmills. Even the Ethereum Name Service WG which has been working on deploying ENS enabled domains, both under the Ethereum native .ETH TLD and in legacy DNS integrations like .XYZ went with DNSSEC to authenticate the validity of the ENS integration process.

So what do you do about it?

Easy. You go ahead and sign your zones for DNSSEC. We were already working on a ground-up rewrite of our DNSSEC implementation when this happened (truth be told, I coded the first one and it kinda sucked. It didn't do anything with your DS records and was pretty shaky with key rollovers. Memo to staff: Don't let the CEO code anymore.)

When the MEW / Amazon Route53 BGP hijack happened, we went to the mattresses accelerating our rewrite, it was like early days. Sleeping at the office, pizza and coffee at 4am, the works. What we have now, well it's something else.

Now we have easyDNSSEC™ the world's first Set-and-Forget DNSSEC™ deployment which fully eliminates the implementation hurdles I outlined above. No more worrying about botched key rollovers or remembering to re-sign the zone after an update, let alone how the hell do you get your DS records into your parent TLD? Just press the button and you're done. End-to-end DNSSEC in about 1 second.

As always, we've pushed the new system live as beta, so start with your non-essential zones. When you enable DNSSEC for your zones you'll notice your name servers will switch from easydns.* to easydnssec.* hostnames, this is because we've also signed those name server hostnames ahead of when we pull the trigger and sign easydns.com for real, which will happen soon.

Other enhanced security measures

Once you've decided to take the plunge and DNSSEC sign your zones, there are even more safeguards you can implement to further protect yourself. Some of these measures should have been implemented already anyway, like CAA. Some are not for the novice, and they are similar to the early days of DNSSEC implementations: if you miscalculate or lose track things, you can hose your zone. Still, others won't work until you sign your zone with DNSSEC (DANE), but if you combine DNSSEC signed zones with the tactics below, you will be fairly well secured against attack vectors which can be launched via BGP leaks:

  1. Implement CAA records to assert what CA authorities can issue TLS certs for your domain. You should have these in place anyway, since the CA/Browser forum made Certificate Authority Authorization mandatory for all CA's in 2017.
  2. Enable HTTP Public Key Pinning (HPKP) to guard against a future compromise of your CA. This one is non-trivial and you could potentially "brick" your website if you lose track of your keys. (HPKP is implemented via HTTP server headers, not in your DNS zone.)
  3. Publishing TLSA records for your hostnames that are secured via TLS. TLSA records enable, DANE which can be used to issue TLS certificates on your hosts and validate them without using a central CA. Doing so is not yet widely supported in browsers, but here we can also use TLSA to assert what CA's can issue certificates on our domain and what the validation path should be.

Whether you employ any of the additional tactics above, once you DNSSEC sign your zone, if your upstream DNS provider or the IP space for your website (or any other part of your network) gets hijacked, your DNSSEC validation will break, and those using DNSSEC enabled resolvers will not see any fake sites. An outage is preferable to a spoof at this point.

Most of the large resolver services such as Google. Quad9, OpenDNS and Cloudflare are all DNSSEC enabled.

Written by Mark Jeftovic, Co-Founder, easyDNS Technlogies Inc.

Follow CircleID on Twitter

More under: Cyberattack, Cybersecurity, DNS, DNS Security

Categories: News and Updates

Heading Into Panama for ICANN62

Domain industry news - Tue, 2018-06-19 18:52

Well amazingly, it's that time again. Next week, individuals from around the world with a keen interest in Internet policy will head to Panama City, Panama for the second ICANN meeting of the year. As always, Brandsight will be attending to follow all of the important policy work being carried out by the community.

Before I head off to the meeting (which based on my research will actually be my 32nd ICANN meeting!), I'd like to share a preview of the major topics slated for discussion.

We will be about a month into the GDRP enforcement era and this topic will surely dominate the conversations during the week. The temporary specification ICANN issued to address WHOIS in a GDPR-compliant world has already resulted in legal action in Germany with ICANN seeking clarity from a court regarding the requirements in the temporary specification.

The temporary specification is still new and has many questions surrounding its interpretation and enforcement, so the community will have an opportunity to get some additional clarity on those outstanding questions.

Discussion around the actual policy work to address a long-term solution to WHOIS will undoubtedly be a hotly debated topic. Since the temporary specification can only be in place for a year, the policy-making body within ICANN (the GNSO) will need to develop a bottom-up policy to effectively take its place at that time, if not before. Generally, policy work at ICANN takes several years, so to complete the policy initiative around such a contentious issue as WHOIS in a year will be challenging for sure.

In addition to issues regarding collection of WHOIS data and the development of new WHIOS policy, access to non-public WHOIS data is still unresolved. The temporary specification calls for contracted parties to provide "reasonable access" to non-public, personal information, but that is obviously open to all kinds of interpretation by different parties. We are already hearing reports of issues when access to that data has been requested.

In a late-breaking development, ICANN has just published a framework for what they call "Unified Access Model for continued access to full WHOIS." This draft document was put out by ICANN to serve as a guide for community discussion around how third-parties will access non-public WHOIS data. Undoubtedly, this recently released proposal will be a major topic of conversation during the week in Panama City.

Of course, GDPR won't be the only topic of discussion. The policy work regarding the next round of new gTLDs will also be on the agenda. The subsequent procedures group is scheduled to release their preliminary report around the time of the meeting and that will certainly be something in which folks are interested. In addition, the group looking at the Rights Protection Mechanisms will also be meeting and discussing a survey recently sent to Uniform Rapid Suspension practitioners.

As is the case with every ICANN meeting, the Governmental Advisory Committee will be meeting and working on their traditional communiqué which will be released at the end of the meeting. This is always something to watch closely due to the weight their advice carries with the ICANN board.

With so much happening in the domain name system, it's sure to be a very active meeting. I'm looking forward to seeing those who are attending and sharing the highlights of the meeting during Brandsight's traditional post-ICANN webinar on July 11th.

Written by Matt Serlin, SVP, Client Services and Operations at Brandsight

Follow CircleID on Twitter

More under: Domain Names, ICANN, Internet Governance, Policy & Regulation, Privacy, Whois

Categories: News and Updates

Opting for UDRP Over URS

Domain industry news - Tue, 2018-06-19 16:49

The Internet Corporation for Assigned Names and Numbers (ICANN) implemented the Uniform Rapid Suspension System (URS) in 2013 together with three other rights protection mechanisms for trademarks. It "is not intended for use in any proceedings with open questions of fact, but only clear cases of trademark abuse" (URS Procedure 8.5). It was designed to afford rights holders claiming abusive registration of domain names with new gTLD extensions an even faster route to remedy than the Uniform Domain Name Dispute Resolution Policy (UDRP). From complaint to award, fourteen rather the thirty to forty days for the UDRP. (Examiners are expected to decide the complaint within 5 days of the filing of the response, URS Procedure 9.6).

Unlike the UDRP, rights holders for the URS qualify only if they have registered trademarks with proof of use in commerce and they have to be "word marks." Those claiming unregistered marks have no standing to maintain a URS proceeding. Despite these several differences, the URS is similar to the UDRP in both the language of its three-prong structure and its evidentiary demand for proving conjunctive bad faith. It is dissimilar 1) in requiring proof of cybersquatting by clear and convincing rather than preponderance of the evidence; and 2) providing a single remedy of suspension for the duration of the registration as opposed to cancellation or transfer of domain registration to rights holders. (Rights holders have the option to continue the suspension for an additional year at prevailing rates, Procedure 10.3).

How does one measure success of a rights protection mechanism? If by numbers, it has to be admitted the URS has not been enthusiastically embraced; at least, as measured by the number of rights holders who could have qualified for the URS but instead have opted for the UDRP. From 2013 to date rights holders filed less than 1,000 URS complaints, somewhere in the region of 220 per annum overwhelmingly with the Forum; 46 withdrawn before decision but a 93% or greater percentage success rate for rights holders suspending infringing domain names.

On a rough count, judging from the first six months of 2018 the number of rights holders commencing proceedings under the UDRP involving domain name with new gTLDs will be twice or more the number of complaints filed under the URS for the same period of time. Through the first week of June 2018, roughly 260 new gTLD complaints have been filed under UDRP against 90 for URS. If that number continues there will be over 500 UDRP complaints for new gTLD infringements by the end of 2018 (WIPO and Forum) and 200 or less for the URS process (that is, filed with the Forum. Complaints filed with the other two URS providers can be counted on one hand).

Of new gTLDs adjudicated by URS (Forum) Examiners, respondents prevailed in less than 7% of the claims (61 denials against 758 suspensions), which should give cheer to rights holders. This is for the entire four-plus years of its existence. Rights holders claiming cybersquatting with new gTLDs under the UDRP rarely fail of success, although it is instructive when they do.

Can it be assumed otherwise than rights holders prefer the UDRP process? Is it because of the remedy or the burden of proof? Or, for some other reason? Under the UDRP, rights holders have uniformly chosen transfer over cancellation. It must be that the principal inhibitory reason for opting for the UDRP is either or both the standard of proof or the sole remedy of suspension. Suspended domain names return to the pool of general availability once the registration expires, thereby risking a repeat of cybersquatting by the same respondent or someone else (which has happened).

One of these rarities of respondent prevailing in both the URS and UDRP, from last year but emblematic, involved the BLOOMBERG mark. As a general observation, respondents prevail in the URS and UDRP when rights holders fail to submit sufficient evidence of bad faith. In Bloomberg Finance L.P. v. zhang guo jie, FA1703001721683 (Forum March 31, 2017) (<Bloomberg.site> the URS Examiner explained that the "Complaint is . . . devoid of any allegations or proof of facts tending to show, even prima facie, either that Respondent has no right to or legitimate interest in the <bloomberg.site> domain name, or that the domain name was registered and is being used by Respondent in bad faith."). In the subsequent UDRP proceeding [FA1704001727926 (Forum June 8, 2017)], the Panel held "even taking account of the public use which has been made of the trademark, it is a common family name which might remain open to use in good faith by any number of traders… This is not a case of an invented word with no connotation other than the goods or services of a single trader."

One explanation for rights holders preferring the UDRP is that, overall, it is easier and less risky where the URS result is not quite as predictable as one would wish, even assuming suspension is the proper remedy. For example, in Commonwealth Bank of Australia v. WhoisGuard Protected, WhoisGuard, Inc. / Lord Oxford, D2018-0769 (WIPO May 29, 2018) (<bankwest.site> and bankwest.website>) it is likely (based on the Respondent's emails denying bad faith) that a URS Examiner would have denied the complaint for <bankwest.site> even if it granted suspension for the dot website domain name. The Respondent stated in informal emails that "the disputed domain names are spoonerisms, and that the planned use of the disputed domain names is in respect of a website about Israel's West Bank dispute." The UDRP Panel rejected Respondent's assertions:

The Panel further finds the Respondent's assertion that the planned use of the disputed domain names is in respect of a website concerning Israel's West Bank dispute, an assertion wholly unsupported by any evidence, incredible. The Panel is also, incidentally, unable to discern how the disputed domain names are said to be spoonerisms.

It should also be obvious that many new gTLDs have particular relevance to specific businesses. So, for example, . tech, .shop, .support, .deals, .design, and .tours as extensions to domain names identical to marks in industries or businesses for which they would be appropriate are (absent explanations for using names corresponding to marks) clearly infringing, but if the combination of domain name and gTLD is also recognized as a valuable addition to a Complainant's portfolio of domain names the strategic remedy of choice would certainly be transfer rather than suspension.

Thus, in STS Student Travel Schools AB v. Nordmann Nordmann, D2018-0736 (WIPO May 18, 2018) (<sts.tours>) and Compagnie Générale des Etablissements Michelin v. WhoisGuard, Inc., WhoisGuard Protected / Saad Zaeem, Caramel Tech Studios, D2017-0234 (WIPO April 3, 2018) (<michelin.design> it makes sense to opt for a UDRP remedy.

In STS Student Travel Schools, the Panel found it was "likely that the Respondent had knowledge of both the Complainant and the Trade Mark at the time he registered the Disputed Domain Name. This conclusion is reinforced by the content of the website at the Disputed Domain Name, being PPC links relating to schools and education." In Compagnie Générale des Etablissements Michelin, it is possible (and this may have been counsel's concern) that the extension .design which is not logically associated with Complainant's business could have failed in a URS proceeding. Complainant could also have had a strategic reason, namely that it saw a benefit to having the .design and the UDRP was the only route for getting it. In fact, although Respondent did not formally appear it did state that it planned to develop a website for furniture, which would most likely have resulted in a failed URS even though there was some evidence of bad faith use; that is, the Examiner could have accepted the informal defense as an "open question of fact" (URS Procedure 8.5).

For the UDRP Panel, however, bad faith was predicated on Respondent's failure under Paragraph 4(c)(i) to provide any evidence of "demonstrable preparations" and under 4(b)(iv) the use of the resolving website that "provided links and 'click through' to other sites which offer products some of which may compete with those of the Complainant." Respondent's argument that it was not responsible for the registrar earning revenue failed to persuade the Panel because "[i] is well established that where a domain name is used to generate revenue in respect of 'click through' traffic, and that traffic has been attracted because of the name's association with the Complainant, such use amounts to use in bad faith [regardless who benefits]." URS Examiners are less likely to invoke the full reasoning of UDRP Panels and more likely to apply the enhanced evidentiary standard to deny suspension.

The heavier burden of clear and convincing evidence is reflected in the most recent URS denial, Skechers U.S.A. Inc. II v. Privacy Protect, LLC (PrivacyProtect.org), FA1805001786732 (Forum June 7, 2018), FA1805001786732 (Forum June 7, 2018). In this dispute, the Examiner found that even though the domain name resolves to a parking page which according to the screen shot provided by the Complainant displays no information "it seems that there is an active literary website managed by Andres Thomas Conteris and there is not any clear evidence which shows the Respondent's commercial gain over the disputed domain. In this respect, the Examiner finds that the bad faith of the Respondent is not proven by the Claimant." (For Skechers, incidentally, this is a rerun, although from a different Respondent, from a failed URS in 2015. It has prevailed in 13 URS proceedings, but never gone to the UDRP for new gTLD complaints, but has filed and been successful in several country code and .com complaints.

The point that needs emphasizing, however, is the reason for rights holders choices. Clearly, the reduced time to remedy under the URS is not a major incentive, but the most likely disincentive is either the remedy or the combination of remedy and standard of proof where it is likely the URS Expert will deny the complaint either for lack of concrete proof or because any doubt about there being an "open question of fact" must be charged to Complainant. If there is any risk of denial, the obvious route would have to be the UDRP; a little more expensive, not quite as "rapid" but greater certainty where there is risk, and with a better remedy if transfer makes strategic sense.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

Follow CircleID on Twitter

More under: Domain Management, Domain Names, New TLDs, UDRP

Categories: News and Updates

Cassandra.co owner tries to hijack Cassandra.com domain name

Domain Name Wire - Tue, 2018-06-19 15:22

Company filed baseless cybersquatting dispute at WIPO.

A New York brand strategy company that uses the domain name Cassandra.co has been found to have engaged in reverse domain name hijacking in its attempt to get the domain name Cassandra.com.

Deep Focus Inc. filed the complaint against Abstract Holdings International, a domain name investment firm.

Abstract acquired the domain name in 2012 as part of a 1,427 domain name portfolio. The portfolio included many personal names such as natalia.com, jodie.com, and gabriella.com.

Deep Focus tried to buy the domain for $2,500. Abstract countered with a $200,000 price. Deep Focus then filed the UDRP as a Plan B for acquiring the domain.

A three-member World Intellectual Property Organization ruled that Deep Focus, which was represented by the law firm Hayes, Scott, Bonino & Ellingson, LLP, filed the case in abuse of the UDRP cybersquatting policy:

In the view of the Panel, the Complainant has disclosed no reasonable grounds for believing that the Respondent registered the disputed domain name with the Complainant or its trademark THE CASSANDRA REPORT in mind or with the intention of taking unfair advantage of the Complainant’s trademark. Nor, for the reasons set out above, has it disclosed reasonable grounds for believing that the Respondent has used the disputed domain name in bad faith. On the contrary, the Panel infers on balance that the Complainant commenced the current proceeding in the hope of acquiring the disputed domain name without paying the full price legitimately demanded by the Respondent for the sale of the disputed domain name. Noting also that the Complainant is legally represented in this proceeding, the Panel finds that that (sic) the Complaint was brought in bad faith and constitutes an abuse of the administrative proceeding.

Domain name lawyer Zak Muscovitch represented Abstract Holdings International.

© DomainNameWire.com 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) domainnamewire.com. Latest domain news at DNW.com: Domain Name Wire.

Related posts:
  1. Non-Profit Urban Logic Guilty of Reverse Domain Name Hijacking
  2. Dubai Law Firm Nailed for Reverse Domain Name Hijacking
  3. Telepathy scores $40,000 from reverse domain name hijacking case
Categories: News and Updates

Illinois property tax appeal attorney guilty of reverse domain name hijacking

Domain Name Wire - Tue, 2018-06-19 14:03

Anastasia Poulopoulos filed a cybersquatting dispute in bad faith, panelist determines.

The owner of Appealmytaxes.BIZ, which offers a service to challenge property tax assessments in Illinois, has been found to have engaged in reverse domain name hijacking in an attempt to get the domain name Appealmytaxes.COM.

Anastasia Poulopoulos filed the case with National Arbitration Forum arguing that the owner of AppealMyTaxes.com was cybersquatting. The owner of AppealMyTaxes.com registered the domain name before Poulopoulos registered the matching .biz. Poulopoulous subsequently registered a figurative mark made up mostly of text that reads “WWW.APPEALMYTAXES.BIZ OUR ONLY BIZNESS IS LOWERING YOUR REAL ESTATE TAXES”.

Not surprisingly, the panel didn’t find that this trademark was confusingly similar to the domain name AppealMyTaxes.com. It also found that the domain wasn’t registered in bad faith, which was the reason panelist David L. Kreider determined that Poulopoulos had engaged in reverse domain name hijacking.

It appears to the Panel that the Complainant became aware of the Respondent’s registration on May 12, 2008 of the DDN , and within weeks, acted to register her own “appealmytaxes.biz” domain name and file an application with the USPTO on June 23, 2008 to register the trademark WWW.APPEALMYTAXES.BIZ OUR ONLY BIZNESS IS LOWERING YOUR REAL ESTATE TAXES, with the intention of competing in the same professional services business as the Respondent had launched, or at that time, appeared to be preparing to launch.

The Panel concludes that the Complainant instituted these UDRP proceedings knowing that the Respondent was prior in time in registering the DDN and that the Complainant could not possibly establish the element of bad faith registration by the Respondent, which is required under the Policy Paragraph 4(a)(iii).

The Panel finds that the Complainant has engaged in Reverse Domain Name Hijacking.

© DomainNameWire.com 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) domainnamewire.com. Latest domain news at DNW.com: Domain Name Wire.

Related posts:
  1. Non-Profit Urban Logic Guilty of Reverse Domain Name Hijacking
  2. Dubai Law Firm Nailed for Reverse Domain Name Hijacking
  3. Telepathy scores $40,000 from reverse domain name hijacking case
Categories: News and Updates

Mugshots.com defendants face arraignment later this month

Domain Name Wire - Tue, 2018-06-19 12:37

Defendants are due in Los Angeles courtroom on June 29 for arraignment.

Sahar Sarid’s mugshot after being arrested in Florida. He faces arraignment in California later this month.

The defendants in a criminal case against Mugshots.com’s owners face arraignment on June 29, according to the Superior Court of California website.

Domain investor Sahar Sarid is among the four people named in the complaint. He faced extradition to California to face the charges brought by the Attorney General there. The extradition hearing in Florida was dropped, apparently after Sarid turned himself in in California.

Sarid faces 51 counts including extortion, money laundering, and identity theft. The Attorney General alleges that he and the other defendants extorted people by charging them to have their mugshot and arrest records removed from the website in violation of the law.

The Mugshots.com website does not currently resolve.

© DomainNameWire.com 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) domainnamewire.com. Latest domain news at DNW.com: Domain Name Wire.

Related posts:
  1. Sahar Sarid arrested on charges related to Mugshots.com
Categories: News and Updates

Google Engineer Ben McIlwain on Why HSTS Could Be a Perfect Fit for .Brands Security

Domain industry news - Tue, 2018-06-19 01:38

The Google-run .app TLD was always destined to draw attention and scrutiny, from the moment it fetched a then-record ICANN auction price of $25 million. Since it reached General Availability in May it has gained more than 250,000 registrations making it one of the world's most successful TLDs.

However perhaps more interesting was Google's choice to add the .app TLD and its widely used .google extension to the HTTP Strict Transport Security (HSTS) Top-Level Domain preload list, offering an unprecedented level of security for all domains under .google and .app.

I spoke with Ben McIlwain, Tech Lead and Senior Software Engineer at Google to learn a little more about HSTS, the benefits it offers and in particular, how this could be a significant value-add for .brand TLD operators in providing additional security to their customers.

* * *

Ryan Baker: Can you give us an overview of what HSTS actually is and why it's important?

Ben McIlwain: On a basic level what HSTS preloading does is enforce the use of HTTPS. If applied to a whole TLD, then every domain on that TLD is required to be served securely.

Serving via HTTPS is a good first step, but it only provides optional security. Without HSTS preloading, there's a variety of attacks that people intercepting your connection can use to downgrade it, most notably in 2009 when Moxie Marlinspike published the SSL Strip attack.

Using HSTS headers was a good first measure to improve on this, however, it's now superseded by preloading. The HSTS header only comes into play after the first connection to a domain; if you're connecting to a new (to you) domain and the very first connection is intercepted, then the interceptor can simply strip off that header along with any potentially present HTTPS. Preloading offers a stronger level of security because the preload list is built into the browsers themselves, and that can't be intercepted by an attacker. So it's always secure from the very first request.

RB: How does HSTS apply to a closed TLD such as a .brand?

BM: It's a great fit for brand TLDs because all domains on a brand TLD are typically run by the same company, so all those domains are in that company's control. This makes it easy to enforce the requirement to serve all sites on that TLD over HTTPS in order for them to work under HSTS, as we do with .google.

With .app we've also proven that TLD-wide HSTS preloading is feasible even with a large, open TLD. Obviously, it's impractical to retrofit an already launched open TLD with thousands of domains and thus individual users, but a .brand doesn't have that complexity. There's a lot less risk — so there's really no reason why you shouldn't be doing this once you're serving all your sites securely (and you should be!). If you haven't launched your brand TLD yet then there's no risk, as there are no existing possible sites to break.

And it's worth pointing out that right now there's still a small number of TLDs in the HSTS preload list, so anyone who gets in early can get that first-mover advantage on security and credibly say "We were on the vanguard of this next evolution in Web security."

RB: Why is HSTS preloading at the TLD level better than doing it for individual sites?

BM: From a configuration perspective, it's much simpler. You don't have to worry about individually preloading sites or sending HSTS headers. You just add your TLD to the list once and all of your sites are good to go. If you can already go to your websites with https:// and they load correctly (i.e. they have valid SSL certificates), then you're good to go for HSTS preloading.

Another benefit to preloading at a TLD level comes from the rollout process for the HSTS preload list itself. To preload an individual domain name, you enter it at hstspreload.org and it is verified and added to the list, which could take a few weeks. From there, the list is pulled by the individual browsers according to their individual rollout cycles, which typically takes several months between a change being made and being released in the next major browser version. And then there's lag time between when a new version has been released and when users finally get around to updating their software.

To do this for every site you launch can be incredibly impractical for webmasters. But if the entire TLD has already been preloaded, then all newly-created domains on that TLD will immediately get the benefit of increased security from the first moment of creation.

For HSTS preloading as a whole, TLD-level preloading has an aggregate effect as well. There are currently a relatively small, finite number of TLDs, which is more scalable in terms of the overall size of the preload list. Keeping the list smaller saves a non-negligible amount of storage space, memory space, and CPU cycles (from checking against the list) across all the billions of desktop and mobile browser installations out there. In the future, for size reasons, the list might close to new additions of individual domain names unless they meet certain criteria, but if you add the entire TLD you wouldn't face that problem.

And perhaps most importantly is speed. When domains are HSTS preloaded the user's browser will always hit the https version immediately; it'll never hit a redirect being served at the http version. That saves a round-trip to the server, which is a non-negligible speed improvement, especially for people on mobile connections.

RB: What should .brands consider before HSTS preloading?

BM: The main thing to consider is that if you have any domains on your .brand TLD that are not serving on HTTPS, those domains will stop working if you preload the TLD. So the important first step is to look at all the domains you have in use and ensure that all of them work with https://, which of course you should already be doing anyway (but HSTS is a useful forcing function).

You will thus need to have an SSL certificate for every domain on the TLD, even if that domain is just redirecting elsewhere. If you're using a hosting platform provisioning these automatically for you, then hopefully that will already be covered (like through the use of Let's Encrypt). The targets of the redirects will also need to be secure if they are on an HSTS-preloaded domain as well.

Once you've done this due diligence then the next step is simple: Add the TLD to the HSTS preload list. It will then roll out in a future version of major browsers in a couple of months. Other than the obvious check that every domain on the TLD is serving over HTTPS, there are no other "gotchas" to worry about. There's just that one simple requirement.

RB: Do users experience any difference interacting with HSTS preloaded TLDs (such as the 'Secure' marker displayed for sites serving via HTTPS)?

BM: Currently there's no visual difference between HSTS preloaded domains and other secure domains, however, there may be in the future. In the very near future, Chrome will show "Not secure" right next to the address bar for all insecure domain names (those served over http://). This is, of course, scary to see as an end user. You'll never have that problem on an HSTS preloaded TLD because everything on there already has to be served securely. So it's another way to avoid the poor user experience of seeing a warning due to having an insecure domain name; being insecure is no longer even an option.

* * *

It was great to speak with Ben and get his insight on HSTS and how it can apply for TLD operators. For most brands, a huge focus is placed on security to ensure a stable and trustworthy experience for consumers. HSTS preloading at the TLD level could be an opportunity for .brand operators to further strengthen that protection and get in at the ground floor of Google's latest development.

In short, the only requirement for .brand TLDs to be successfully HSTS preloaded is ensuring all sites on the TLD are serving content securely — which is already a requirement for most major organizations.

For almost no additional effort, .brand TLDs can take advantage of HSTS preloading to provide further peace of mind for customers that engaging with their brand online is a safe and secure experience.

You can watch Ben's presentation at this year's Google I/O conference to hear more about .app and HSTS. If you'd like to know more about how to implement HSTS pre-loading on your .brand TLD, reach out to Neustar today.

This piece was originally published on MakeWay.World.

Written by Ryan Baker, Advisor, Professional Services at Neustar Inc.

Follow CircleID on Twitter

More under: Cybersecurity, Domain Management, Domain Names, New TLDs, Web

Categories: News and Updates

When the Internet Service Provider is Government-Owned Monopoly: Cuba's Forthcoming 3G Pricing Model

Domain industry news - Mon, 2018-06-18 21:11

Jorge Luis Valdés Hernández, Director de Servicios Convergentes de la Vicepresidencia de Integración Comercial de ETECSA, described the forthcoming changes to their mobile Internet service in a recent press conference. (He also has a very long job title).

To be honest, the press conference coverage left me a bit confused, but this is some of what he said as I understood it:

There are 5.1 million active mobile accounts today and of those 35% use 2G phones, 45% 3G and 20% 4G. (ETECSA will be selling a lot of 3 and 4G phones).

Fourth generation LTE service is being tested in Varadero and deployment will begin in 2019. (Armando Camacho has reported on the tests and found the preliminary speeds surprisingly slow).

I believe that access to selected sites will be free or subsidized — zero-rated — and others will be capped by the amount of data transferred. My guess is that the majority of the free sites will be on the national intranet as opposed to the global Internet.

He gave a hypothetical example in which a user on the 1 GB plan would receive .5 GB free access to sites on the national intranet, stating that international access was more expensive than domestic.

While not defining plans or prices, he presented two hypothetical paid plans — one for "moderate" users at 500 MB per month and a second for "intense" users at 2.5 GB per month — and showed typical data utilization for various applications:

The press conference hailed the "launch" of the mobile Internet, but Cuban 3G mobile access began in 2015 when it was made available to tourists in limited locations and it has steadily expanded. Today there are over 520 3G-compatible base stations covering 47% of the population and all of Havana.

This press conference was not about new technology, but about new pricing, which favors government-approved political content and protects local content and services from the global competition.

Subsidized content delivery is an attractive consumer marketing tool, but proponents of network neutrality argue that it gives the Internet service provider (ISP) the power to pick winners and losers. For example, AT&apm;T could begin zero rating — delivering content produced by its recently acquired Time-Warner subsidiary — at no cost to the user.

Zero-rating or other forms of subsidy are even more problematical when the Internet service provider is a government-owned monopoly, as it is in Cuba. If you live in the US, depending upon your point of view, you probably consider Fox News or MSNBC politically biased, but your ISP does not give you a discount on either. Will Granma.cu be zero-rated?

Going beyond political information, the new pricing continues the Cuban policy of favoring content or service on the national intranet over that on the global Internet. Valdés asserted that in addition to increasing the consumption of national service, this policy would help offset the increased cost of delivering international content, but that increase is marginal and the national intranet discount amounts to a protectionist tariff on foreign content and services. (And, I bet ETECSA will make a handsome profit even with this national-intranet discount).

Mobile connectivity, not WiFi hotspots or home DSL, is the focus of Cuba's current "universal Internet access” campaign and the new pricing plans will serve to protect local content and service providers and control political information.

Written by Larry Press, Professor of Information Systems at California State University

Follow CircleID on Twitter

More under: Access Providers, Broadband, Mobile Internet, Telecom

Categories: News and Updates

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer