News and Updates

Study Reveals U.S. Carriers Throttle Online Video on Their Mobile Networks Even When Not Congested

Domain industry news - Mon, 2019-08-19 19:12

A new study conducted by researchers at Northeastern University and the University of Massachusetts Amherst involving 650,000 tests indicates U.S. carriers are throttling online video on their mobile networks regardless of whether or not those networks are congested. While U.S. wireless carriers have long insisted that the slowing down of video traffic on their networks is to avoid congestion and bottlenecks, throttling is occurring all the time this study has found.

A large-scale study of net neutrality violations and their implications is long overdue, says the group that conducted the research. They wrote: "In the intervening decade, the Internet has evolved in two key ways that require a new approach to auditing. First, today's dominant source of Internet traffic is video streaming from content providers, not BitTorrent. Second, users increasingly access the Internet from their mobile devices, often with a spectrum-constrained cellular connection. There is a need to conduct a study of net neutrality violations that takes these changes into account. We address this need using 1,045,413 measurements conducted by 126,249 users of our Wehe app, across 2,735 ISPs in 183 countries/regions."

Follow CircleID on Twitter

More under: Mobile Internet, Net Neutrality, Telecom, Wireless

Categories: News and Updates

Threat Intelligence in Latter 2019: Overcoming the Same and New Challenges

Domain industry news - Mon, 2019-08-19 18:02

Does threat intelligence (TI) work? I looked into that question last year, exploring the reasons why it actually doesn't and what can be done to remediate the situation. Since then, more companies have incorporated TI into their security processes, and many are still not getting the benefits they expect.

What's causing the dissatisfaction? Interestingly, pretty much the same aspects — i.e., mismatches with cybersecurity needs, lack of resources, implementation challenges, and other misunderstandings and misconceptions — and new ones.

So, how can we bridge these gaps in the second half of 2019? TI is of complex nature and a change of perspective, alongside a strong commitment to best practices, are necessary to overcome the hurdles along the way. Let's dig into the latest learnings in the field and figure a way forward.

Analyzing and operationalizing TI takes time

Gathering any form of intelligence and applying the corresponding insights is something that cannot and should not be rushed. Likewise, getting the most value from TI requires diligent and thorough analysis with the right metrics, scope, and depth at the outset. Otherwise, it's not easy to measure progress. All of that takes time, and impatience could set in and affect the quality of data collection, processing, and interpretation.

TI may end up too general and off-target

TI analysis goes from broad to specific, and it's important to carry out the process all the way through because threats are subtle and dangerous in detail. If TI results and interpretations are too general, they'll likely fail to address the areas that need particular attention. It's up to users to narrow down the focus to get intel relevant to their brand or industry — e.g., online fraud for payment processors, DDoS or ransomware for large enterprises, etc.

Over-reliance on manual processing and analysis is bad

TI is labor-intensive, sometimes more than it needs to be. As part of TI's implementation, security staff must find a balance and leave sufficient legwork to automated systems, possibly with machine-learning capabilities. In turn, threat intelligence analysts can spend more time on strategic and urgent tasks that allow for a more effective and faster response to immediate threats.

TI is not your average cybersecurity operation

The practice has its specificities and therefore requires people capable of handling the particular operational and technical elements for, say, the integration of a threat intelligence API into pre-existing security applications. In a similar vein, TI teams also need enough resources and logistics to avail of specialist equipment and skills — of course, in line with an organization's sector and its core activities and salient vulnerabilities.

Actions must be taken based on TI insights

As bad actors adjust their tactics, so should people within organizations. As a means to detect what's wrong with systems and online assets over time, TI and its actionable insights must be disseminated to forewarn employees and help decision-makers make wise acquisitions and security investments. A new malware, for example, should be immediately put on the radar and steps on how to counter it be immediately laid down.

On an external level, sharing intelligence with other organizations creates an early-warning network that thwarts attacks and facilitates the dismantling of threat infrastructure.

Integrate with your tools and teams

TI should not be a lone-wolf fighting an independent battle. Instead, it should be integrated as a major part of the overall cybersecurity strategy. The effectiveness of SIEM, as well as other important incident management systems, is enhanced when they are complemented by TI's contextual analysis and actionable recommendations to halt attacks.

* * *

The said benefits of threat intelligence remain elusive at times. Proactive measures need to be put in place in 2019 and beyond in order to overcome challenges and successfully implement the practice as part of integrated cybersecurity efforts.

Written by Jonathan Zhang, Founder and CEO of WhoisXMLAPI &

Follow CircleID on Twitter

More under: Cyberattack, Cybersecurity, Networks

Categories: News and Updates

Almost All 5G Estimates for 2019-2020 Need to Be Doubled

Domain industry news - Mon, 2019-08-19 17:38

The remarkable take rate in Korea and China is invalidating almost all projections of 5G subscriptions. The 5G promotion has consumers wanting to buy, buy, buy. Huawei Mate 20 5G is selling for only US$30 more than the 4G model. At that price, who would want to buy a 4G phone that could be obsolete in a year or two? In the first two weeks of sale, over a million Chinese bought Huawei's 5G phone.

One of the best analyst group on earth currently expects China to have 31 million subs in 2020. Two million+ Chinese are signing up in August 2019, a pace almost sure to increase. It's almost certain that China in 2020 will have more than that group's 73 million worldwide estimates. Korea is at 2 million after four months. KT is confident of 5 million Koreans taking 5G in 2019 from the three carriers. It estimates 30% of the country will switch to 5G by the end of 2020, about 15 million phones.

The new data is forcing everyone to rethink. If the Americans and Europeans switched to 5G in 2020 at even a quarter of the Korean expectation, that would be over 40 million.

Prices of 5G phones are plummetting in China. As I write, the Chinese smartphone maker, Oppo, is selling a premium 5G phone for $580. Vivo is about to announce an even lower price. Nine phone makers are in active production, and competition is becoming intense in Asia. It only costs about a dollar to airfreight a phone to Europe. The low prices are likely to spread and drive sales.

China Mobile and others say 5G phone prices will fall to under $300 in 2020.

Written by Dave Burstein, Editor, DSL Prime

Follow CircleID on Twitter

More under: Mobile Internet, Telecom, Wireless

Categories: News and Updates

Fighting for – DNW Podcast #249

Domain Name Wire - Mon, 2019-08-19 15:30

The story behind one man’s expensive battle to keep his domain name.

Jeffrey Black registered in 1994. Over two decades later he found himself in court spending hundreds of thousands of dollars trying to prove that he wasn’t cybersquatting on a concrete company’s brand by registering the domain. On today’s show, Black’s attorney Mike Rodenbaugh walks us through exactly what happened: why Black registered the domain, how this case proceeded all the way to a jury trial, and what happened next.

See also:Judge’s findings document.

This week’s sponsor:

Subscribe via Apple Podcasts to listen to the Domain Name Wire podcast on your iPhone or iPad, view on Google Play Music, or click play above or download to begin listening. (Listen to previous podcasts here.)

© 2019. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. The Future of Domains w/ Frank Schilling – DNW Podcast #119
  2. NamesCon Recap Podcast – DNW Podcast #222
  3. How to Sell with Brian Harbin – DNW Podcast #233
Categories: News and Updates

Domain Name Registrar Isn't Liable for Counterfeit Goods – InvenTel v. GoDaddy

Domain industry news - Sun, 2019-08-18 17:51

InvenTel makes security cams for cars. It is trying to crack down on Chinese counterfeiters. It brought a prior lawsuit against a wide range of defendants, including GoDaddy. InvenTel voluntarily dismissed GoDaddy from that suit. It brought a second round of litigation involving a new counterfeit site allegedly by the same bad guys,, a domain name registered via GoDaddy. Initially, InvenTel claimed GoDaddy hosted the site as well, but it dropped that claim. So the suit against GoDaddy devolves into a simple question: can GoDaddy be liable for counterfeiting activity for registering the domain name?

The answer is no. This is wholly unsurprising because most of these issues were litigated and resolved in the 1990s, making this an old school case. On the plus side, it's a nice reminder that the law hasn't changed in the past two decades.

Federal Trademark Infringement. In the ACPA, Congress provided a safe harbor for domain name registrars (15 U.S.C. § 1114(2)(D)(iii)). This safe harbor hasn't been litigated very often, so this is a rare but otherwise unremarkable opinion applying the safe harbor. The court says:

"The only pleaded basis for GoDaddy's knowledge that the Website would be used to infringe is the Li Defendants' conduct using other websites and the Prior Action. But GoDaddy's domain name registration system is automatic. Therefore, without a warning that the specific URL being registered would be used for an illicit purpose, GoDaddy did not have a "bad faith intent to profit" from the automatic registration of '' In other words, failing to prevent its computer system from registering the Website does not constitute 'bad faith.' Plaintiff provides no basis for the proposition that GoDaddy must predict which URLs will be used for infringement purposes and proactively stop them from being registered."

To be clear, I don't think this passage supports the inverse proposition, i.e., that GoDaddy would be automatically liable if it had gotten a warning that a domain name was being used for illicit purposes.

State Direct Trademark Infringement. GoDaddy didn't "use" the allegedly counterfeited goods.

State Indirect Trademark Infringement. The Ninth Circuit shut down registrar liability in the 1999 Lockheed v. NSI ruling. "GoDaddy does not control or monitor the instrument of infringement (i.e., the Website)."

Direct Copyright Infringement. As a registrar, GoDaddy doesn't "copy" anything.

Indirect Copyright Infringement. There was no direct copyright infringement taking place when GoDaddy registered the domain name.

Direct Patent Infringement. GoDaddy didn't make, use, or sell the counterfeit goods.

Indirect Patent Infringement. "GoDaddy permitting its computer system to automatically register the Website, even with knowledge of the Prior Action, is not an activity GoDaddy knew would 'cause infringement.' As previously stated, GoDaddy is not obligated to proactively guess which proposed domain names will likely be used for nefarious purposes."

State Consumer Fraud Act. InvenTel wasn't GoDaddy's "consumer."

The court summarizes:

"As to the automatic registration of the Website...that conduct cannot produce direct or contributory intellectual property liability on the facts of this case. GoDaddy did not have the requisite knowledge that the Li Defendants would use the Website to infringe on InvenTel's intellectual property rights when it engaged in the only conduct at issue — providing domain name registration services. InvenTel cannot plausibly allege GoDaddy acted with the requisite knowledge, as InvenTel filed its Complaint without even notifying GoDaddy of the new Website. Even considering facts outside the Complaint set forth by InvenTel, GoDaddy could not be liable. InvenTel has not presented any theory under which GoDaddy is obligated to monitor and predict which websites might be used for infringing purposes. Even when the same individual registers multiple websites, it is the intellectual property holders' responsibility to protect their property, not third parties'. Had InvenTel taken advantage of GoDaddy' s takedown request procedures, and GoDaddy refused to deregister the Website (despite evidence of infringement), InvenTel may have a claim. But here, InvenTel ran to federal court without informing GoDaddy of the infringement. Having no notice of the infringement, liability will not attach because GoDaddy did not take any action with the requisite knowledge."

A periodic reminder that even if the law doesn't require notice-and-takedown, courts are unimpressed when plaintiffs could have solved their problems by sending takedown notices.

As far as I can tell, the court doesn't distinguish between domain name registration and domain name hosting (as opposed to website hosting, which the court does distinguish). I wonder if the court would be more amenable to liability for domain name hosting. The above passage suggests it might be.

Trademark, copyright, and patent law all have discretionary fee-shifting provisions. Given the complete lack of merit in this case and the venerability of the legal principles it raised, I wonder if the court will be amenable to a fee-shift request from GoDaddy.

Case citation: InvenTel Products, LLC v. Li, 2:19-cv-09190-WJM-MF (D.N.J. Aug. 13, 2019)

Written by Eric Goldman, Professor, Santa Clara University School of Law

Follow CircleID on Twitter

More under: Domain Management, Domain Names, Law

Categories: News and Updates

The problem with choosing a popular generic company name

Domain Name Wire - Fri, 2019-08-16 16:34

The brand Theorem is a crowded brand.

A company called Theorem is suing (pdf) another company called Theorem for trademark infringement, and it brings up an important point about choosing a popular dictionary term for your business name.

The first sign that this is a crowded brand is that the defendant uses the domain name while another company uses—and the company that uses isn’t the plaintiff. The plaintiff uses the domain

So, right off the bat, three companies are using the name Theorem. They are all in the tech space, too.

The defendant is a web development company that recently rebranded from CitrusByte to Theorem. The plaintiff if a digital marketing company. The company that uses provides CAD and visualization technologies.

If you google “theorem,” the plaintiff is #2. Neither nor is on the first page, but two other companies that use the name Theorem are. One is a cannabis company and the other is a marketplace lending technology company.

That’s a pretty crowded brand space.

The plaintiff says that a Fortune 500 company made a presentation to it and used the logo from the defendant in its presentation. Ouch.

© 2019. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. XYZ 2, Verisign 0
Categories: News and Updates

The Pros and Cons of Introducing New gTLDs

Domain industry news - Fri, 2019-08-16 01:31

Every time new concepts are introduced, much debate ensues as to the advantages and disadvantages such a change would bring forth. We've seen that happen with the launch of IPv6. Detractors and supporters rallied to make their respective arguments heard.

One thing is sure though. The need for a much larger IP address space is something both parties are in agreement with. In the past 10 years alone, the number of Internet users has grown almost fourfold from 1.7 billion June 2009 to 4.4 billion as of June 2019. And if a researcher's calculations are right, as many as 380 websites are created per minute. An increasing number of start-ups are also established over time that need to make their own mark on the World Wide Web.

Given the constantly rising volume of businesses, it isn't surprising for much-sought-after domains to become harder to come by. Every company, after all, would go for a domain that aptly describes their business and matches their brand so they would be easy to find in the ever-growing global community that is the Internet. The seeming lack of domain choices has led to the proposal to widen the top-level domain (TLD) space.

And so in 2015, the Internet Corporation for Assigned Names and Numbers (ICANN) announced the introduction of more than 500 new generic TLDs (gTLDs) to accommodate the growing demand. Of course, this spurred talks about the good and bad that this change would bring about. Let's take a closer look at both sides of the coin.

The Good

The availability of new gTLDs provides entrepreneurs with more domain name options to choose from. Companies in need of easy-to-remember domains for their websites will no longer be limited to using the more commonly used and likely saturated gTLDs (.com, .net, .org, etc.). With the addition of hundreds of gTLDs to choose from, they would stand a better chance of obtaining ownership rights to a domain that would best fit their brand.

Domainers and domain registrars whose main task is to provide clients with lists of potential domains for their business would be able to give more choices apart from what may be left available in the popular gTLD and even country code TLD (ccTLD) spaces. This can, of course, result in better customer satisfaction.

The Bad

It's no secret, everyone approaches anything new with a bit of caution. That said, because newly created gTLDs are not so known, site visitors, especially those that have had run-ins with cybercriminals, may be wary of visiting sites that sport them. It is, after all, known that cyber attackers often hide their trails by using less popular TLDs.

Cybercriminals and attackers may have gained a bigger playing field as well. Their domain choices, much like the rest of the world's, increased. Cybersecurity specialists and law enforcement agencies will need to scour a much bigger base when going after threat actors.

Given the bigger volume of TLDs to monitor, website owners and brand agents would also have to spend more time and exert greater effort to keep tabs on potential cases of copyright infringement and trademark abuse.


Just as connectivity can be considered a double-edged sword, the Internet's growth presents both risks and opportunities as well. But because change is constant, anyone with an online presence, whether an individual or a company, just needs to remain ever-vigilant to threats in order to stay safe. We can only expect to see the World Wide Web expand more, bringing with it both the good and the bad. We just need to be prepared with not just reactive but also proactive measures to maintain the security of our digital assets.

Written by Jonathan Zhang, Founder and CEO of WhoisXMLAPI &

Follow CircleID on Twitter

More under: Cybersecurity, Domain Names, Registry Services, New TLDs

Categories: News and Updates

The Promise of Multi-Signer DNSSEC

Domain industry news - Thu, 2019-08-15 23:32

DNSSEC is increasingly adopted by organizations to protect DNS data and prevent DNS attacks like DNS spoofing and DNS cache poisoning. At the same time, more DNS deployments are using proprietary DNS features like geo-routing or load balancing, which require special configuration to support using DNSSEC.

When these requirements intersect with multiple DNS providers, the system breaks down. DNSSEC cannot currently work with two or more providers if those providers offer proprietary DNS features. In this article, we'll explain why this happens and present an innovative technical solution that was recently adopted in an RFC draft and is under evaluation by the DNS operations working group in the IETF. We will show how NS1 implements this solution and describe another way that organizations can achieve DNS redundancy with DNSSEC.

The Problem of Multi-Signer DNSSEC

DNSSEC is a set of extensions that improve the original DNS protocol to make it more secure. Its main objective is to allow DNS clients to verify that they are receiving correct DNS information and not fake information injected by attackers.

DNSSEC defines new types of DNS records, which hold cryptographic signatures of DNS data and share a public key that allows verification of the data. The signatures are a proof that the data has not been tampered with and are authentic because the private key that was used to create the signatures is held only by the DNS zone owner.

The problem begins when organizations have three requirements, all of which are quite common in modern DNS deployments:

  1. DNSSEC – they want to secure DNS communication using the DNSSEC protocol.
  2. Multi provider – they want to run DNS with more than one provider at the same time. This is commonly used to setup redundant DNS, ensuring services remain available even if one DNS provider fails.
  3. Advanced and Proprietary DNS features – most DNS providers today offer capabilities that go beyond the standard DNS protocol in order to route traffic based on rules or conditions such as resource availability or geo-routing that can route users, via DNS, to a server near them, or Global Server Load Balancing to route users between several servers. See for example NS1's DNS traffic steering capabilities. Since these capabilities extend standard DNS, many of these advanced features are implemented in proprietary ways.

Using current DNS infrastructure, if you meet requirements #2 and #3, DNSSEC will simply not work. Let's understand why.

In traditional DNS, all records are static. The zone file is signed with DNSSEC and distributed to DNS providers (in case you use more than one). All providers serve the records from the same file. Every client who sends a query for a record gets the same answer, regardless of which DNS provider that client is communicating with.

However, when we introduce requirement #3, proprietary DNS features, DNS records are no longer static. The DNS answer might change for a specific query. For example, you might want to provide a different DNS response depending on the geographical location of the user, the server you want to route the user to, performance considerations, etc.

Each DNS provider that has proprietary DNS features has an internal method for making DNSSEC work with their traffic management features. For example, NS1 signs each individual response on-the-fly when generating the response (this is called DNSSEC online signing).

Those proprietary DNSSEC implementations are quite different between providers. It is no longer possible to provide one zone file, sign it one time and distribute it between providers. Each provider generates tailored DNS responses which cannot be easily pre-signed with a single DNSSEC key.

A Strategy for Solving the Multi-Signer DNSSEC Problem

A solution to this problem has been proposed in a recent IETF draft, co-authored by NS1's Jan Včelák. The solution is straightforward but requires some background to understand, let's go through it step by step.

A Bit of Background: KSK and ZSK

Let's start by defining two important concepts:

  • The Key Signing Key (KSK) is the key used to sign and therefore authenticate other DNSSEC keys to sign the zone content. The private part of the key is kept by the zone owner and the public part of the key is published in the DNS. The key is also referred to from a parent zone which establishes a secure delegation between the parent and the zone.
  • The Zone Signing Key (ZSK) is the key used to sign all records in the zone, except for the DNSKEY record which is signed by KSK.

Sharing the ZSK Between Providers

The proposed strategy for multi-signer DNS is that each DNS provider should use a separate zone signing key for the records they serve, but all providers have to agree on the total set of DNSSEC keys being used, which includes all of the KSK and ZSK. Therefore each provider has to import the public keys of every other provider.

Why would one DNS provider need the public keys of the other providers?

Take a domain,, with two DNS providers A and B and with each provider using a separate KSK and ZSK. There is a secure delegation from the parent zone (".com"), which contains signed DS records pointing to both providers' KSK.

Now the DNS resolver has to fetch the DNSKEY record for the zone which contains the DNSSEC keys to be used for validation. If it chooses to talk to provider A, the resolver obtains the DNSKEY, validates the response, and then caches it. This is illustrated below.

At a later point in time, the resolver might query another record in that zone, but now it talks to provider B's name servers. It gets a response, but that response is signed by B's ZSK which is not present in the cached DNSKEY record received from A. This is illustrated by provider B returning an answer signed by the orange and purple keys.

That's why provider A's DNS response needs to include the ZSK for provider B, and vice versa. Every provider has to import public keys of every other provider. This is the basis for the multi-signer DNSSEC solution.

Two Models for Making Multi-Signer DNSSEC Work

We've presented the basic principle that makes multi-signer DNSSEC work — that each provider needs to import and provide to its users the ZSKs of all the other providers. This ensures that the next time a user makes a query, they can still validate their DNSSEC data even if they reach another provider. There are two models for making this happen.

Model 1: One Zone Owner and One KSK

Who is it for?

Model 1 uses a single KSK managed by one of the providers or the zone owner. This model is suitable for organizations that require a better control of the KSK and want to manage all signing keys for the zone themselves.

How it works

Each of the providers, A and B, has its own set of zone signing keys (ZSK). The zone owner retrieves the public keys from the providers, builds the DNSKEY record set which contains the public KSK and public ZSKs of the providers, signs it using the private KSK, and provides the resulting DNSKEY record set along with the signature to the two DNS providers.

Source: DNS OARC Presentation

The above diagram illustrates that the DNS record set is always served with the same signature, generated in advance by the zone owner. But any other content in the zone is signed by the ZSKs held by the different providers.

Because each DNS provider has the same DNSKEY record set, even if the resolver caches a response from one provider, they have all public keys needed to validate responses sent by the other provider.

Model 2: Shared Trust, Two KSKs Distributed to Two DNS Providers

Who is it for?

Under model 2, each provider uses independent KSK and ZSK. This model is suitable for organizations that do not require tight control of the KSK and instead require a solution with full redundancy.

How it works

Each provider has their own ZSK and KSK. They independently reach out to the other provider, get the public keys that provider is using, and add their own public keys. As a result, they all end up with the same DNSKEY record set which is signed by their own KSK. The DNSKEY record and the signatures are then added into the zone.

In this setup, the parent zone contains DS record referring to KSK of each provider. No matter what provider the DNS resolver selects to get any zone record, it will always be able to validate their authenticity because both KSKs are trusted and the DNSKEY record set is the same at both providers.

Multi-Signer DNSSEC Status at NS1

At this stage, NS1 has working prototype implementation of the interface required to support Model 1: Our REST API enables to retrieve public keys we use for signing and also allows publishing the final DNSKEY record set and its signatures. At the same time, we are building an open-source component that allows you to run NS1 and any common open-source DNS server (for example BIND) in the multi-signer DNSSEC configuration.

NS1 is currently working with other DNS providers to implement the same interface, which will also eventually enable running the Model 2, which has the benefit of full DNS provider redundancy.

While we are talking to different providers to enable Model 2, you can achieve the same results solely leveraging the NS1 Domain Security Suite.

Domain Security Suite

NS1 Domain Security Suite Includes:

  • A fully managed, single tenant, globally anycasted DNS network dedicated to your zones
  • A second, redundant DNS network hosted with a third party vendor on hardware, IPs, and ASNs that are physically and logically separate from the NS1 Managed DNS network
  • Support for full traffic management and DNSSEC on both networks
  • Full use of NS1's suite of advanced traffic steering capabilities on both DNSSEC-protected DNS networks
  • Single pane of glass management

Written by Jan Včelák, Lead Software Engineer at NS1

Follow CircleID on Twitter

More under: Cybersecurity, DNS, DNS Security

Categories: News and Updates

Call Spoofing: Congress Calls on FCC, Russia and China Answer

Domain industry news - Thu, 2019-08-15 21:10

It is both amusing and dismaying. Last year, Congress passed Ray Baum's Act telling the FCC to do something about those pesky incoming foreign SPAM calls and texts with the fake callerIDs. The FCC a couple of weeks ago responded with a chest thumping Report and Order claiming it has "extraterritorial jurisdiction" that it does not have and promising it will do something. Don't hold your breath on that one.

In less than two weeks, the world's only global intergovernmental telecommunication standards body — which also has real jurisdiction over those calls, texts, and identification — is convening its network security group in Geneva. It is known as Study Group 17. Indeed, it has a pre-existing sub-group on spam calls.

The FCC in typical current fashion input nothing into this study group, and indeed has largely not participated for the past decade or more in any work. It was left to both Russia and China yesterday to table new work items into the meeting to help implement Ray Baum's Act's call for action. Congress calls for action, Russia and China answer!

The Russian proposal is from its NIIR institute in the Ministry of Informational Technologies and Communications in Moscow — by one of its senior leaders who also happens to be vice-chair over the "Numbering, naming, addressing, routing and service provision" working party in the ITU-T's Operations study group. This group notably is responsible for the global numbering standards and identification mechanisms at issue.

The Russian proposal calls for a description of the technical requirements for telecommunication management systems and/or client support services to receive notifications of incoming spam calls. The work includes scenarios of interactive interaction of clients with operators/service providers of telephone communication networks about incoming spam calls and the necessary technical measures. To implement such a mechanism, a number of technical measures are proposed, the implementation of which by operators/service providers and equipment manufacturers will contribute to the quickest and least costly scenario of involving the subscriber/recipient of spam calls and texts.

The proposal from China is from its most dynamic telecom service provider, China Unicom, by staff from its Network Technology Research Institute — proposing the development of a machine learning/AI technical framework for tackling the global spam challenges. The proposal notes that "some telecommunication operators of China have used ML/AI to counter-voice spam since 2015, and the techniques to counter spam are effective and efficient. In fact, U.S. industry and the FCC itself have made the same observations.

The China Unicom proposal intends to define the general technical framework for countering spam based on machine learning. It will provide general scenarios, characteristics of the spam, introduction of machine learning, and define a general technical framework, and workflows, to achieve effective governance and control of spam.

Twenty-five years ago, it would have been the FCC together with U.S. industry making these proposals and leading the efforts to implement global solutions with significant resources, and help coordinate among the many industry bodies already involved in this effort. Today, the FCC doesn't even show up. Maybe eventually, someone will "make the FCC great again."

Written by Anthony Rutkowski, Principal, Netmagic Associates LLC

Follow CircleID on Twitter

More under: Internet Governance, Policy & Regulation, Spam, Telecom

Categories: News and Updates

The 2019 IPv4 Market: Mid-Year Report

Domain industry news - Thu, 2019-08-15 16:54

After a slow start to 2019, the volume of IPv4 numbers traded is picking up — though still far below the peak trading periods of 2018. By this same time last year, the total quantity of numbers flowing to and from organizations in the ARIN region was just over 27 million. But 2018 was the most active year ever in the IPv4 market. This year is not shaping up to be as active. In 2019 (through July), just over 17.5 million numbers have transferred — representing a 35% decline from last year over the same time period.

The high volumes in 2018 were the result of an increased supply of large blocks entering the market. Between 2017 and 2018, there were double the number of transactions and a more than 15% increase in volume of IPv4 addresses sold in the large block market, most of which occurred in Q3 2018, when the second highest quantity of IPv4 numbers were traded in any quarterly period. The two quarters that followed, however, were the quietest in the history of the market as a result of limited supply rather than constrained demand. There were no large block transfers during this period.

The large block scarcity in Q4 2018 and Q1 2019 pushed prices up considerably. These rising prices shook loose some additional large block supply and produced a handful of large block transactions in Q2 of this year.

Although the volume of numbers traded has declined from last year, the total number of transactions is still trending upward, as it has year after year. This upward trend is attributable to continuing growth in small blocks transactions. In the first two quarters of 2019, over 75% of transactions involved trades of fewer than 4,000 IPv4 numbers. This reflects growth of 6% compared to the first half of 2018.

To date, the 2019 inter-RIR market has had no large block transactions, but there have been a steady stream of small and medium block trades. Also, there has been big news in the international market. LACNIC recently ratified a policy that will permit inter-RIR transactions. And there is an inter-RIR transfer policy proposal under consideration in AFRINIC.

Market Consolidation for /17+ Blocks

The current IPv4 market for /17 and larger blocks is consolidating around the trading activity of just a few buyers. In 2016, for example, there were approximately 30 buyers of nearly 80 /16 blocks traded; 95% of those blocks were sold outside of large block transactions to small and mid-block buyers (i.e., buyers purchasing fewer than 1MM numbers). Since then, the number of /16 blocks entering the market has increased - in the first half of 2019, over 100 /16s were sold - but the number of buyers and percentage of blocks traded outside of large block transactions has declined substantially. There were only 9 buyers altogether with less than 10% of the blocks sold to buyers picking up fewer than three /16s.

This same consolidation trend pervades the entire market for /17 and larger blocks. Since 2016, seller diversity (i.e., measured as the total number of sellers compared to the total number of transactions) remains high as sellers continue to stream into the market. Buyer diversity, however, has steadily decreased. See Table 1.

Block Prices Continue to Increase

Demand for address space remains high, and supplies are constrained. These factors are exerting upward pricing pressure. But at the same time, sophisticated buyers are looking for ways to use their leverage to relieve that pressure. In this climate, sellers need real-time pricing intelligence, effective bid processes, and experienced transaction guidance to help ensure they are closing deals that maximize the value of their address space.

IPv6 Deployment Picking Up ... A Bit ... in 2019

Worldwide end user adoption hit an all-time high of nearly 29% in June 2019, according to Google IPv6 statistics. See This represented a nearly 3 percentage point increase since January. This is slightly better than the rate of progress made during the same time period last year, but in line with global adoption rates in prior years.

By the end of Q2 2019, global user connectivity ranged between 25% (on weekdays) to around 29% (on weekends). Over the last two months in Q2, there was some upward progress in the U.S., but the adoption rates in the U.S. remains a few percentage points shy of its peak in late 2018 when adoption hit 40%.

There continues to be little progress in the number of websites reachable over IPv6. According to Alexa Top 1000 statistics, at the end of July, 25% of websites were reachable over v6, which reflects no improvement over the last two years.

As in the past, there is no evidence that IPv6 is replacing IPv4 as the dominant protocol for Internet routing or that the migration to IPv6 has had any material impact on the IPv4 market. Based on the current status of IPv6 adoption, we expect nothing to change in this regard for the remainder of 2019.

Written by Janine Goodman, Vice President and Co-founder at Avenue4 LLC

Follow CircleID on Twitter

More under: IP Addressing, IPv6

Categories: News and Updates

Alibaba files blockchain domain name patent application

Domain Name Wire - Thu, 2019-08-15 15:30

Company is latest to propose domain name technology connected to blockchains.

Chinese internet giant Alibaba has filed a U.S. patent application (pdf) for a domain name system connected to blockchain networks.

It’s a bit tricky to disect, but it seems that the idea is to give each blockchain instance a domain name. The abstract states:

Implementations of the present disclosure include obtaining, by a computing system, a unified blockchain domain name (a UBCDN) message of a blockchain instance, wherein the UBCDN message includes a UBCDN of the blockchain instance, a digital signature of an owner of the UBCDN of the blockchain instance (a UBCDN owner) on the UBCDN, and a domain certificate of the UBCDN; verifying whether the domain certificate of the UBCDN is issued by a trusted certificate authority (CA) using a public key of the CA; and verifying whether the UBCDN is issued by the UBCDN owner using a public key of the UBCDN owner. The UBCDN message includes a blockchain domain name and a chain identifier of the blockchain instance uniquely corresponding to the blockchain domain name.

Several companies are trying to marry blockchain technology with the concept of domain names. You can listen to one idea, run by Unstoppable Domains, on DNW Podcast #224.

Alibaba owns HiChina, a large domain name registrar.

© 2019. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. Donuts invests in Blockchain technology company
  2. Unstoppable Domains raises $4 million for blockchain domain names
  3. Undeveloped rebrands to, uses blockchain for transfers
Categories: News and Updates

Are the Telcos Crying Wolf?

Domain industry news - Thu, 2019-08-15 02:44

We recently have heard much complaining from the telecommunications companies concerning the margin squeeze they experience from NBN Co. While they certainly do have a point, it is also essential to look at the other side of the coin.

Why have the telcos allowed this situation to happen in the first place? We have seen an explosion in the telecommunications industry over the last decades. This led to the arrival of internet companies which are currently amongst the largest corporations in the world. This is a clear indication that telecommunications is a very lucrative industry, indeed.

So, what are the telcos complaining about? Why have they not been able to claim their share of this massive growth?

The telecoms industry was right at the forefront of the digital explosion. However, for many decades telcos refused to accept these changes, fighting any form of transformation to protect their business, aimed at protecting their very lucrative voice-based revenue streams, often with margins above 100%.

They made it impossible for new players to enter the market. They didn't allow them to use the national infrastructure in any effective or efficient way to develop new services. As a result of this behavior, there were in the 1990s more than 25 anti-competitive investigations simultaneously proceeding against Telstra.

While fighting all of those rear-guard battles, the traditional telco industry took its eye off the future and companies such as Google, Apple, Facebook, Amazon, and many others in the internet market had a free rein to develop so-called "over the top" — OTT — business models, in which they used the existing telecoms infrastructure to distribute their own services to end-users. Ever since that time, telcos have complained about the situation.

Several countries had to implement "net neutrality" regulations to ensure that telcos wouldn't misuse their infrastructure monopoly to stop the introduction of new innovative video-based services and apps such as Skype and WhatsApp.

Despite what could be called "missed opportunities" for telcos, they were able to maintain a strong market position in the basic telecoms market relating to connectivity. The massive increase in OTT services also stimulated a far greater use of the telecoms network. And today, in most cases, telcos remain strong and healthy players in the connectivity market. However, this has become a low-margin utility service. There is little room for them to develop more value-added products with opportunities for premium based revenue models.

The traditional telecoms industry around the globe is under pressure and is suffering from the massive transformation that happened under their eyes. However, in Australia, the situation is perhaps getting worse as the Government has created a separate telecoms wholesale company to prevent the incumbent Telstra to maintain their struggle hold on the market, as it happened in the 1990s as mentioned above.

The plan envisaged by the Australian Labor Government was to develop a super-high-speed broadband network based on fiber to the home infrastructure. The argument was that this would create a very powerful new platform on which all players in the telecoms market had an equal retail chance to build a range of new digital economy products and services. Putting aside if the existing telcos would indeed be able to build and deliver such services, the fact is that this network eventuated.

So the traditional telcos have now a double whammy against them. They missed out on value-added revenue opportunities. They lost this market to internet companies. On top of that, they are now also being squeezed in their traditional market of providing connectivity services.

This is not a pretty picture for the industry, and it will be interesting to see how this will develop over the coming years. I have always argued that the telecoms market is a critical one for nation-building and is a national asset and should not just be looked at from a profit-making perspective.

We now see international nervousness about Chinese companies dominating the telecoms industry. Perhaps it is time to have a holistic look at the telecoms market and — as a nation — make decisions of what we expect from this market and what the industry means for our society and economy. As mentioned before, such an all-encompassing review is well and truly overdue.

Written by Paul Budde, Managing Director of Paul Budde Communication

Follow CircleID on Twitter

More under: Telecom

Categories: News and Updates

A ccTLD & a .Com That Was Quickly Flipped for a 500% Profit Top This Week's Sales Chart

DN Journal - Wed, 2019-08-14 22:51
How would you like to buy a domain for $10,000 and sell it for $50,000 four months later? That happened with one of this week's top sales while a ccTLD led the chart.
Categories: News and Updates

Irland Leads Europe's .eu Domain Registrations in Q2

Domain industry news - Wed, 2019-08-14 22:26

Irland is reported as the top country for the growth of .eu domains in the second quarter of 2019. The latest report released by EURid, the operator of Europes .eu domain, has attributed 18% of the growth of the European domain to Ireland followed by Portugal with 16.1% and Norway with 10.8%. "The high increase in Ireland could be related to the notice about UK withdrawal from the EU and its subsequence to UK .eu domain name holders," says EURid. "Some of the UK domain name holders may have had the chance to transfer the domain names to their branches in other countries of the EU and EEA, e.g. the neighboring Ireland." Germany remains the top country of registrants with close to a million (978,566) .eu domains registered.

Follow CircleID on Twitter

More under: Domain Names, Registry Services

Categories: News and Updates

Second edition of ‘Domain Name Arbitration’ published

Domain Name Wire - Wed, 2019-08-14 15:41

An updated guide on UDRP.

Domain Name Arbitration, Second Edition by Gerald Levine

Domain name attorney Gerald Levine has published Domain Name Arbitration, Second Edition.

Levine published the first edition in 2015. That means thousands of additional UDRP cases have been decided in the interim that he was able to draw upon to update the book.

In the forward to the book, Levine notes that, in the second edition, “I have rewritten many of the sections; and where I have not added I have tweaked and refined my thoughts about the jurisprudence to make the principles, factors and concepts of the law more accessible.”

He has also included an expansive index.

The book is not light reading. It is designed for lawyers and intellectual property professionals to understand the nitty-gritty of UDRP. Many panelists would benefit from reading it, too.

Levine is perhaps the best writer on the topic of UDRP and anyone needing an in-depth understanding of UDRP should read it.

The book is available on

© 2019. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. Refreshing Discourse from a Domain Name Arbitrator
  2. Jay Leno Tries to Tackle Cybersquatting Problem
  3. Book Review: Domain Name Arbitration by Gerald Levine
Categories: News and Updates

21 end user domain name sales

Domain Name Wire - Wed, 2019-08-14 13:40

An event venue in Montreal, a Milwaukee apartments company, and ClassPass bought domain names this past week.

The creators of the PY1 venue in Montreal bought They use for their website. Photo from

This week’s list of end user domain sales at Sedo doesn’t have any big-ticket domains, but it makes up for it in volume. Some companies bought matching ccTLDs while the creator of a pyramid-shaped venue in Montreal bought a .com to match its .co domain.

Here’s the list, and you can view previous lists like this here. $13,500 – It appears the buyer’s first and middle names are James Garrison. Seems like a lot for this domain, doesn’t it? €9,910 – PT Kifa Citra Sejati is a company in Jakarta that sells food products. I’m not sure what this domain is for but it could be a brand. $9,899 – PY1 is a new venue in Canada developed by Lune Rouge. It uses the domain name $9,500 – ADCADA, a trading, real estate, finance and marketing company, bought the .com to match its .de domain name. $5,799 – Avalon Holdings operates waste management services, golf courses and resorts. €5,500 – German company DABEI GmbH. Fluit is Dutch for whistle, but I can’t figure this one out. $5,250 – Metropolitan Associates is an apartment company in Milwaukee. It uses the domain name €4,488 – Logictree, Inc is a software company. This might be for one of its new projects. £4,500 – The domain forwards to OMSAG, a digital marketing company. Given that this domain ends in AG, it might be a related company name. $4,000 – The buyer operates ABL Aviation, an aircraft leasing company. $4,000 – Software company Bentley. The company filed a trademark application last week for the term. $3,750 – Philosophy Brands GmbH is a marketing company in Germany. This might be for a client. $3,500 – Proximify provides web solutions to government and academic organizations. €3,080 – Suding makes precast concrete. The domain translates to “concrete factory” in German. $2,888 – ClassPass, a popular program to visit exercise classes, forwards this domain to $2,500 – The buyer is setting up a financial template on Wix. €2,150 – Lighthouse Wealth Management. €2,150 – Green Angels has a coming soon page and states that it’s “on a mission to fight global waste and environmental crisis by empowering people with innovative tools, knowledge and connections to help make positive lifestyle changes.” $2,060 – HubGarage is a site about automotive gear. £2,000 – Makeup seller CharlotteTilbury forwards this domain to its .com. $2,000 – Pieper Electric is an electrical contractor in Wisconsin.

© 2019. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. .Club domain tops last week’s end user domain name sales
  2. End users buy matching domains and domain hacks
  3. End user domain name sales up to $27,000
Categories: News and Updates

Who bought the top 20 sales at Uniregistry this week

Domain Name Wire - Tue, 2019-08-13 17:47

A Costa Rican e-commerce company, wound care certification organization, and smart home company bought domains at Uniregistry.

Uniregistry recently published its top 20 sales of July, and now it’s going to start publishing its top 20 weekly sales (well, those that it can make public).

It’s great to have this additional data available for the market. I’m not sure if it warrants a weekly end user report on Domain Name Wire because of the size of the list. It might need to be monthly. Or a combination with the Sedo report. But for now, let’s give it a shot.

Here’s what I dug up on the top 20 sales at Uniregistry this past week.

1. $25,000 – It’s an end user price but it’s unclear who bought it. Whois shows it’s someone in Japan. is for sale at BrandBucket.

2. $18,000 – It’s under Whois privacy at GoDaddy but there are a lot of companies that would want to upgrade to this name.

3. $13,000 – Unimart selling at Uniregistry? Yep. The buyer is Barulu S.A., an e-commerce company in Costa Rica.

4. $12,000 – Just a coming soon page on this domain.

5. $11,500 – iApts is short for iApartments. This company helps apartments become smart apartments with connected devices. It does not own iApartments, which is an apartment locator.

6. $10,000 – Relias LLC runs the Wound Care Education Institute, or WCEI for short. The .com is an upgrade to its current domain.

7. $10,000 – A line sheet is like a mini catalog, and this site helps you create them easily.

8. $10,000 – All I can tell at this point is that the buyer is in Saudi Arabia.

9. $10,000 – The domain has GoDaddy Whois privacy and still resolves to a Uni lander.

10. $7,600 – A buyer in the Netherlands.

11. $7,600 – Still under privacy at Uniregistry.

12. $7,000 – Doesn’t resolve and no Whois info.

13. $7,000 – The buyer is setting up a WordPress site.

14. $5,580 – A company called Trichterheide nv bought the domain.

15. $5,175 – I don’t know who bought it but I can guess what they’ll do with it.

16. $5,000 – Whois shows a buyer in Washington state.

17. $5,000 – Walker Construction is a construction company in Kentucky, building bridges, highways and more.

18. $5,000 – What do you think – end user or investor? A plutocrat is someone whose power derives from their wealth.

19. $4,000 – There are a lot of ABC Roofing companies out there, and this one is in Georgia.

20. $3,700 – ZeroBase is a web developer in Japan. It’s probably for a project or client.

© 2019. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. Missed connections: another smart domain sales idea
  2. Who bought Uniregistry’s top 20 public domain sales last month
  3. New TLD auction prices hitting highs: Minds + Machines, Uniregistry, Donuts all win some domains
Categories: News and Updates

MANRS Observatory: Monitoring the State of Internet Routing Security

Domain industry news - Tue, 2019-08-13 17:12

Routing security is vital to the future and stability of the Internet, but it's under constant threat. Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, driven by the networking community and supported by the Internet Society, aiming to reduce the most common threats to the Internet's routing system through technical and collaborative action. As the effort gets traction and more awareness, we, as the MANRS community, need to ensure its transparency and credibility. This is why we've launched a free online tool so that MANRS participants can see how they're doing, and what they can improve, while anyone can see the health of the Internet routing at a glance. The MANRS Observatory measures networks' adherence to MANRS — their "MANRS readiness" — a key indicator of the state of routing security and resiliency of the Internet.

Here is what the MANRS Observatory is in a nutshell:

  • Performance Barometer: MANRS participants can easily monitor how well they adhere to the requirements of this initiative and make any necessary adjustments to their security controls.
  • Business Development: Participants can see how they and their peers are performing. They can leverage the MANRS Observatory to determine whether potential partners' security practices are up to par.
  • Policy: Policy makers can better understand the state of routing security and resilience and help improve it by calling for MANRS best practices.
  • Social Responsibility: MANRS implementation is simple, voluntary, and non-disruptive. The Observatory can help participants ensure they and their peers are keeping their networks secure, which helps improve routing security of the Internet as a whole.

The Observatory has two views: public, open to everyone, and private, available to MANRS participants. The public view user can look at the routing security metrics and statistics on a global, regional, and economic level, while MANRS participants can see performance of individual networks (of more than 64,000!) and even drill down to a detailed monthly incident report for the networks they operate.

  • The public view is aimed at anyone interested in routing security. Users can see the status at a glance for every country on an interactive global map and drill down into data for a chosen country.
  • The private view is intended for network operators. It lets them measure their MANRS readiness and quickly identify problematic areas to help them improve the security of their networks. It also adds an element of accountability where networks can see how well others are keeping their side of the street clean, which helps improve routing security of the Internet as a whole.

The metrics and statistics to measure MANRS readiness are calculated by tracking the number of incidents and networks involved, their anti-spoofing capabilities, and completeness of routing information in public repositories, such as IRRs and RPKI. This data is gathered from trusted third-party sources. (For more information on how MANRS readiness is measured, read "Measurement Framework") The Observatory was developed jointly with the MANRS community but still has to pass the test of real-life usage and validation by MANRS participants.

One of the main objectives of the Observatory was to report on cases of MANRS non-compliance, and it provides reliable information on that. However, measuring network security from the outside is difficult, and even with highly-reputed data sources, there are sometimes false positives or false negatives (an incident that went unnoticed by the data collection systems). To put it into context, in 2018 alone, there were more than 12,000 routing outages or attacks, such as hijacking, leaks, and spoofing. We're working with our partners to improve the quality of incident data continuously.

While MANRS is seeing steady adoption — worldwide, there are now over 200 network operators and more than 30 IXPs supporting our initiative — we need more networks to implement the actions and more customers to demand routing security best practices. The more organizations apply MANRS actions, and the fewer security and related incidents happen, the more secure and resilient the Internet will be!

Explore the MANRS Observatory.

A slightly edited version of this article was published here in the Internet Society's blog.

Written by Andrei Robachevsky, Senior Technology Programme Manager at Internet Society

Follow CircleID on Twitter

More under: Cybersecurity, Networks

Categories: News and Updates

Turmoil in the SSL market

Domain Name Wire - Tue, 2019-08-13 15:49

A big revenue generator is quickly declining.

Google’s campaign in recent years to push websites to use an SSL certificate has been a boon to everyone in the SSL marketplace, including certificate issuers and hosting companies.

But what Google giveth, Google can taketh away. And this is wreaking havoc on the business of selling SSL certificates.

Google is continually downgrading positive indicators of SSL certificates in Google Chrome. Other browser makers are, too.

Of course, Google also backs Let’s Encrypt, which lets the technically-minded get free SSL certificates.

It seems that companies profiting from SSL certificates have found two ways to stretch out this cash cow in the face of downgraded browser benefits and free SSL providers.

As far as the browser benefits are concerned, SSL sellers have promoted Extended Validation (EV) Certificates. These are the ones that show the company name in the address bar next to the URL.

Or rather, did show the company name. Even that’s coming to an end. Troy Hunt explains why EV is dead thanks to their own downgrades by browser makers.

On the hosting side, some companies force users to use their own SSL rather than a free certificate. For example, GoDaddy’s Managed WordPress only works with GoDaddy certificates. And they are pricey.

The GoDaddy managed WordPress starter plan is $9.99 per month. SSL is $79.99 per year, so $6.66 per month. This makes the cheapest WordPress package 66% more expensive than it appears.

To show how silly this is, consider that GoDaddy’s Website Builder plans all come with an SSL certificate and the cheapest plan is $5.99 per month. So you can get a website builder with SSL for less than GoDaddy charges for an SSL certificate. Only you can’t apply this SSL certificate to your WordPress site.

SSL is still a cash cow for many companies. But it’s dwindling.

© 2019. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

No related posts.

Categories: News and Updates

There is Always a Back Door

Domain industry news - Tue, 2019-08-13 01:06

A long time ago, I worked in a secure facility. I won't disclose the facility; I'm certain it no longer exists, and the people who designed the system I'm about to describe are probably long retired. Soon after being transferred into this organization, someone noted I needed to be trained on how to change the cipher door locks. We gathered up a ladder, placed the ladder just outside the door to the secure facility, popped open one of the tiles on the drop ceiling, and opened a small metal box with a standard, low-security key. Inside this box was a jumper board that set the combination for the secure door.

First lesson of security: there is (almost) always a back door.

I was reminded of this while reading a paper recently published about a backdoor attack on certificate authorities. There are, according to the paper, around 130 commercial Certificate Authorities (CAs). Each of these CAs issue widely trusted certificates used for everything from TLS to secure web browsing sessions to RPKI certificates used to validate route origination information. When you encounter these certificates, you assume at least two things: the private key in the public/private key pair has not been compromised, and the person who claims to own the key is really the person you are talking to. The first of these two can come under attack through data breaches. The second is the topic of the paper in question.

How do CAs validate the person asking for a certificate actually is whom they claim to be? Do they work for the organization they are obtaining a certificate for? Are they the "right person" within that organization to ask for a certificate? Shy of having a personal relationship with the person who initiates the certificate request, how can the CA validate who this person is and if they are authorized to make this request?

They could research the person — check their social media profiles, verify their employment history, etc. They can also send them something that, in theory, only that person can receive, such as a physical letter, or an email sent to their work email address. To be more creative, the CA can ask the requestor to create a small file on their corporate web site with information supplied by the CA. In theory, these electronic forms of authentication should be solid. After all, if you have administrative access to a corporate web site, you are probably working in information technology at that company. If you have a work email address at a company, you probably work for that company.

These electronic forms of authentication, however, can turn out to be much like the small metal box which holds the jumper board that sets the combination just outside the secure door. They can be more security theater than real security.

In fact, the authors of this paper found that some 70% of the CAs could be tricked into issuing a certificate for just about any organization — by hijacking a route. Suppose the CA asks the requestor to place a small file containing some supplied information on the corporate web site. The attacker creates a web server, inserts the file, hijacks the route to the corporate web site, so it points at the fake web site, waits for the authentication to finish, and then removes the hijacked route.

The solution recommended in this paper is for the CAs to use multiple overlapping factors when authenticating a certificate requestor — which is always a good security practice. Another solution recommended by the authors is to monitor your BGP tables from multiple "views" on the Internet to discover when someone has hijacked your routes, and take active measures to either remove the hijack, or at least to detect the attack.

These are all good measures — ones your organization should already be taking.

However, the larger point should be this: putting a firewall in front of your network is not enough. Trusting that others will "do their job correctly," and hence that you can trust the claims of certificates or CAs, is not enough. The Internet is a low trust environment. You need to think about the possible back doors and think about how to close them (or at least know when they have been opened).

Having personal relationships with people you do business with is a good start. Being creative in what you monitor and how, is another. Firewalls are not enough. Two-factor authentication is not enough. Security is systemic and needs to be thought about holistically.

There are always back doors.

Written by Russ White, Infrastructure Architect at Juniper Networks

Follow CircleID on Twitter

More under: Cybersecurity

Categories: News and Updates

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer