Fwd: Proposed Referral to SSAC on WHOIS impacts on domain security and stability

Wendy Seltzer wendy at SELTZER.COM
Fri Jun 29 16:04:08 CEST 2012


Hi NCSG,

I think we had a great and productive meeting in Prague, and look
forward to pushing forward with renewed energy in the group between now
and Toronto. 

While talking about the Registrar Accreditation Agreement and the WHOIS
Review Team Report, I noted that email verification could pose security
risks.  Further, I think the Security and Stability Advisory Committee
would be well-placed to analyze the security threats. I'm proposing this
note to Patrik Fältström, SSAC chair, to refer the question to the SSAC
for potential investigation.

Good travels and a good weekend to all,
--Wendy



Subject: Referral to SSAC on WHOIS impacts on domain security and stability
Dear Patrik:

On behalf of the Non-Commercial Stakeholder Group, representing
non-commercial Internet registrants and users in the GNSO, I write with
some security questions about recent WHOIS proposals in the WHOIS Review
Team Final Report and Recommendations [0] and the draft Registrar
Accreditation Agreement [1].  Specifically, I am concerned that email or
phone validation, whether pre- or post-resolution of a domain name,
introduces new risks to the stability of that name. As SSAC is charged
with advising the ICANN Community and Board on "matters relating to the
security and integrity of the Internet's naming and address allocation
systems," [2] I believe its analysis would be valuable here. (I
acknowledge that most of the concerns relate to the security and
stability of individual domain names, but as they stem from a systemic
weakness in the proposed domain registration system.)

For example, if validation by returning an email were required before a
newly-registered domain name is permitted to resolve, as requested by
Law Enforcement [3], the potential registrant must find an alternate
provider of secure email by which to receive the validation, or risk
losing the name because he cannot do so.

At any point when such validation is required -- annually, upon
registration or renewal, or in response to a third-party complaint of
"inaccuracy" -- that could provide an opportunity for an attacker to
target a man-in-the-middle or phishing attack on the user's server or
client, or a denial of service at the user's mailserver (known, from the
email published in WHOIS). If a name is to be put on hold or suspended
because of a registrant's failure to respond, these attacks provide a
way to destabilize registrant's control of the domain and any further
systems that depend upon it.

Second, these communications train users in poor security practices. I
note that current WHOIS reminder reports (WDPRS) are rarely, if ever,
signed, so users are not currently primed or able to verify the
authenticity of these communications. Encouraging them to provide
sensitive personal and/or systems information in response to such emails
harms them.

Similar concerns apply to the "accuracy" validation recommendations of
the WHOIS Review Team report. I believe that a full threat analysis
would be valuable and likely to identify additional risks to domain
registrants and the registration system.

Please feel free to get in touch if I can provide further information.
We at NCSG would be happy to work with you to refine the questions for
analysis.

--Wendy

[0]
http://www.icann.org/en/about/aoc-review/whois/final-report-11may12-en.pdf
[1]
http://prague44.icann.org/meetings/prague2012/presentation-draft-2012-raa-03jun12-en.pdf
[2] http://www.icann.org/en/groups/ssac/charter
[3]
https://community.icann.org/download/attachments/30344497/LE_Rec_Validation2012+%282%29.pdf



More information about the Ncuc-discuss mailing list