Referral to SSAC re: impacts of WHOIS on domain security and stability

Wendy Seltzer wendy at SELTZER.COM
Tue Jul 3 08:51:57 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Patrik:

On behalf of the Non-Commercial Stakeholder Group, representing
non-commercial Internet registrants and users in the GNSO, I write
with some security questions about recent WHOIS proposals in the WHOIS
Review Team Final Report and Recommendations [0] and the draft
Registrar Accreditation Agreement [1].  Specifically, we are concerned
that email or phone validation, whether pre- or post-resolution of a
domain name, introduces new risks to the stability of that name and
systems that depend upon it. As SSAC is charged with advising the
ICANN Community and Board on "matters relating to the security and
integrity of the Internet's naming and address allocation systems,"
[2] we believe its analysis would be valuable here. (We acknowledge
that most of the concerns relate to the security and stability of
individual domain names, but those stem from a systemic weakness in
the proposed domain registration system.)

For example, if validation by returning an email were required before
a newly-registered domain name were permitted to resolve, as requested
by Law Enforcement [3], the potential registrant must find an
alternate provider of secure email by which to receive the validation,
or risk losing the name because he cannot do so.

At any point when such validation is required -- annually, upon
registration or renewal, or in response to a third-party complaint of
"inaccuracy" -- that could provide an opportunity for an attacker to
target a man-in-the-middle or phishing attack on the user's server or
client, or a denial of service at the user's mailserver (known, from
the email published in WHOIS). If a name is to be put on hold or
suspended because of a registrant's failure to respond, these attacks
provide a way to destabilize registrant's control of the domain and
any further systems that depend upon it.

Second, these communications train users in poor security practices. I
note that current WHOIS reminder reports (WDPRS) are rarely, if ever,
signed, so users are not currently primed or able to verify the
authenticity of these communications. Encouraging them to provide
sensitive personal and/or systems information in response to such
emails harms them.

Similar concerns apply to the "accuracy" validation recommendations of
the WHOIS Review Team report. I believe that a full threat analysis
would be valuable and likely to identify additional risks to domain
registrants and the registration system.

Please feel free to get in touch if I can provide further information.
We at NCSG would be happy to work with you to refine the questions for
analysis.

Best,
- --Wendy

[0]
http://www.icann.org/en/about/aoc-review/whois/final-report-11may12-en.pdf
[1]
http://prague44.icann.org/meetings/prague2012/presentation-draft-2012-raa-03jun12-en.pdf
[2] http://www.icann.org/en/groups/ssac/charter
[3]
https://community.icann.org/download/attachments/30344497/LE_Rec_Validation2012+%282%29.pdf

- --
Wendy Seltzer -- wendy at seltzer.org +1 617.863.0613
Fellow, Yale Law School Information Society Project
Fellow, Berkman Center for Internet & Society at Harvard University
http://wendy.seltzer.org/
https://www.chillingeffects.org/
https://www.torproject.org/
http://www.freedom-to-tinker.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/yln0ACgkQuuui10VsrVHy9ACfdsuZZASRBTgk8eseHVECJn4q
T/sAn15payEjuZu6mVuuKkH3r35J05Af
=tawD
-----END PGP SIGNATURE-----


More information about the Ncuc-discuss mailing list