
As Deadly as a DDoS: ICANN Unleashes the Whois Accuracy Program - ivank
http://blog.easydns.org/2014/01/21/icann-unleashes-deadliest-ddos-attack-vector-of-2014/?
======
akerl_
The title is pretty much linkbait.

If you change registrar-level things about your domain, they're now required
to confirm your contact info with you. This isn't a "DDoS", or "deadly", or
any of that nonsense: it's a new strategy to ensure whois data stays updated.

Whether or not it's an _effective_ strategy for keeping whois data accurate is
another debate (I don't think it is), but talking about it like some malicious
act is pointless.

~~~
thaumaturgy
The end of the article raised a good point though: this is going to train
people to click on links in emails that look like they came from their
registrar.

That's bad.

The registrar is public information. The registrant's contact information is
public (or at least publicly accessible). So, wait a year for people to get
accustomed to clicking on links in emails from their registrar, pick a target
domain, forge an email from the registrar, send it to owner contact with a
link to a phishing page. Congratulations, enjoy your new domain.

~~~
derefr
The email address doesn't seem to be the thing registrars should be
"validating" about contact information, anyway. Shouldn't my registrar be
calling/texting a code to the included phone number, and sending a letter with
another code to the included mailing address?

------
buro9
A troll once tried to take one of my websites off-line by reporting to ICANN
that the whois info was fake:

[http://www.icann.org/en/resources/compliance/complaints/whoi...](http://www.icann.org/en/resources/compliance/complaints/whois/inaccuracy-
form)

That was... interesting.

Good timing on the troll's part as I was migrating from 123-reg to Gandi at
just that moment and had to persuade both of them that I was who I said I was
and that the info was correct.

If I recall correctly it involved proof that there was a company behind it
(company registration documents), proof that the address for the company was
correct, and proof that I worked for the company and had the right to
represent it.

It's pretty scary to think that your domain might be pulled, and the web
properties and email with it, based on a third party report.

At least with this proposal a 15-day window to verify details when you change
info is an expected thing.

Oh, and ICANN sent the notification via the registrar to the admin email on
the domain... make sure you're monitoring all of those email addresses.

------
jrockway
This is apparently so the physical mail spammers can send me more physical
mail along the lines of "This is the Domain Registry of America! Pay us $1000
to keep your domain!"

Uh, no. Where's the FTC when I need it...

~~~
xenophanes
I got email from the people who run .us domains demanding a photo of my
driver's license to prove I'm American. They did not understand why I might
think they were scammers and want them to verify _their_ identity first, nor
did they understand _how_ to verify their identity.

~~~
jrockway
Are you sure it was them? Having a verified personal identity is not a
requirement to have a .us domain. All you need to prove is that you have "a
bona fide presence in the United States of America or any of its possessions
or territories [Nexus Category 3]."

(It goes into detail claiming that you need to "state" your country of
citizenship, but not that you need to "prove" your country of citizenship. An
identity document is massively overreaching, IMHO. I never had to prove
anything to get jrock.us, and if I have to, I will move the domain.)

~~~
xenophanes
I ended up thinking it was not a scam but being uncomfortable. It's possible I
had originally put a fake address for my whois info, possibly triggering this,
I forget. I'm not 100% sure.

Here's the people, i spoke with them on the phone:
[http://www.neustar.us](http://www.neustar.us)

here is their first email in april 2011:

Greetings,

As you may be aware, in November 2001, the United States Department of
Commerce ("DOC") selected NeuStar, Inc. ("NeuStar") to be the Administrator of
the .US top-level domain ("usTLD"), the official top-level domain for the
United States of America. As Administrator of the usTLD, NeuStar has agreed to
perform random "spot checks" on registrations in the usTLD to endure that they
comply with the usTLD Nexus Requirements which can be found at
[http://www.neustar.us/content/download/2659/32865/ustld_nexu...](http://www.neustar.us/content/download/2659/32865/ustld_nexus_requirements.pdf)
("Nexus Requirements").

Our records indicate that you are the registrant of the domain name CURI.US.

On April 28, 2011, this domain name was selected for Nexus revalidation and
confirmation. According to the information you provided with your registration
of this Domain Name, you indicated that you qualify under:

Category 1 - You are a US citizen or permanent resident

As part of our verification process, we ask that you provide to us by no later
than ten (10) days after the date set forth above, a written response
describing how you qualify under the above Nexus category.

In addition, please verify that the name-servers that you have selected to use
are also physically located within the United States as required by the Nexus
Requirements.

In some instances, we may request additional documentary evidence from you to
demonstrate that you meet the Nexus requirements.

You should be aware that if you either (i) do not respond within the ten (10)
days, or (ii) are unable to adequately explain or demonstrate through
documentary evidence that you meet any of the Nexus Requirements, NeuStar may
issue a finding that your entity or organization has failed to meet the Nexus
Requirements. Upon such a finding, you will then be given a total of ten (10)
days to cure the US Nexus deficiency. If you are able to demonstrate within
ten (10) days that your entity or organization has remedied such deficiency,
you will be allowed to keep the domain name. If, however, you either (i) do
not respond within the ten (10) days of such a finding of noncompliance, or
(ii) are unable to proffer evidence demonstration compliance with the Nexus
Requirements, the domain name registration will be deleted from the registry
database without refund, and the domain name will be placed into the list of
available domain names.

Thank you for your cooperation in this matter. Please let us know if you have
any questions.

Kind Regards,

John .US Nexus Compliance ___________________________________________ NeuStar
.US America's Internet Address Email: nexus-compliance@neustar.us

------
Glyptodon
I still don't understand why you even need to have an 'identity' to register a
domain. They should be happy with a valid email address and leave it at that.

~~~
pjc50
Takedowns and law enforcement.

------
kijin
How is this different from all the other online services that require you to
click a link in an email in order to verify it, and refuse to give you full
membership until you do so?

Some of the registrars I use have implemented this policy lately. Turns out
it's a non-issue as long as your contact info is valid and up to date (which
it should already be).

It doesn't conflict with whois privacy, either, contrary to all the FUD that
gets spread around. Any whois privacy service that is worth the cost will
forward the verification request to your real email address, and if it
doesn't, you should switch to a better service. Using a crappy whois privacy
service with no email forwarding is a surefire way to lose your domain anyway.

~~~
afhof
"(which it should already be)."

No, why should domains be required to attached to an individual person?

~~~
kijin
Domains are required to be attached to an email address that can actually
receive emails.

An email address is not an individual person.

------
richardjordan
The domain name industry is a dirty scummy dishonest business. There isn't a
company one can deal with that at some point won't make you feel like you're
forced to work with crooks just to get an online presence.

~~~
StuntPope
Don't tell my mom I'm a domain registrar! She thinks I'm a webmaster for a
cyberporn website.

------
kolev
ICANN is a mafia! They did this to actually force some old domains to get back
into the market. ICANN as an organization will profit little from this, but
the people bribing them (domainers, auction sites, domain escrows, etc.) will
vastly profit from it. Imagine what would happen if somebody sends you a
letter and they get back a letter saying that you cannot receive the letter as
you didn't verify your name with USPS? It's 2014 and things like redemption
period and fees are daylight legalized scams. I cannot believe that we allow
ICANN to do whatever they want with us for so long!

~~~
talideon
Actually, this whole this was included under pressure from law enforcement
agencies (LEAs). Registrars, registries, and ICANN themselves would much
prefer we stuck with the old WDRP regime where all that happens is that the
registrars periodically ask that registrants verify that the information
provided is correct. This new LEA-mandated nonsense is nothing but a drain on
registrars (which is a business with thin margins as it is).

Also, redemption isn't a scam, it's a fine to discourage people from making
ridiculously late payment! You're given a _45 day_ window after a domain
expires to pay for the renewal before the domain ends up in redemption, and
registrars are required to send at least three separate reminder emails at
specific intervals to tell you the domain is expiring or has expired. If you
can't pay your bills within 45 days, ICANN, the registries, and the registrars
aren't the problem: you're own incompetence is the problem.

~~~
kolev
No, ICANN is legitimized fraud. You can be 90-day overdue with utilities and
you pay a relatively small fee. Phone companies don't give your phone number
to your competitor or auction it. This is ridiculous! If the annual fee is
$10-15, one shouldn't charge $150 a redemption (i.e. extortion fee)!

~~~
talideon
It's called an 'expiration date' for a reason: that's the date you're supposed
to have paid for continued service by. The grace period (and the redemption
period) are leeway. It's in no way an extortion fee: you're given plenty of
notice before the domain expires, and if it ends up in redemption, you only
have your own incompetence to blame.

Also, you don't _own_ the domain, it's a lease. If you let a domain expire and
a competitor snaps it up, that's on you, not the registrar. You can initiate
UDRP actions to recover it, but it's your fault.

------
jotm
Is this supposed to stop people from registering using fake information?
That's cute. Any criminal worth their salt will forge that info (including
paper scans) in a jiffy. One more inconvenience for 95% of the users.

------
EGreg
Okay why are we still using a centralized domain name system with authorities?
Do we enjoy the crazy keyholders from various countries meeting in secret
thing?

We can have many decentralized ways of registering and transferring domains.
Namecoin is one, but how hard is it to decentralize the DNS database?

~~~
adventured
To honestly answer your question: the we you refer to isn't in control /
power.

The system is centralized because the control over nations is centralized. It
will remain that way so long as political power remains centralized.
Particularly given the immense importance of the internet economy now to most
major nations. The political powers that be are not about to let go of
something so important. The domain name system is a huge point of control over
national and global economics. If I were a standard issue politician, I'd make
you pry it from my cold dead hands.

~~~
EGreg
What is to prevent an open source DNS server to be deployed all around the
world by various people? And browser makers would just add it to the list of
servers once it gets big enough.

Until then, people could download a program or instructions that would add it,
similarly to Google's DNS or OpenDNS

Except it would not use the regular DNS system on the back end, but supplement
it with its own rules eg not taking a domain offline when registrars do.

~~~
vidarh
Nothing except inertia. There are many alternative root operators. It's just
that none of them have managed to convince enough people to use them.

------
axaxs
What is your complaint, exactly? I'd be happy to know that someone cannot
transfer my domain out nor change my contact information without verification.
15 days is more than ample time, assuming I initiated the action. And what the
hell does DDos have to do with any of it?

------
billspreston
Can this be done via a "click here to confirm" email, or does this require
phone conversations with the registrar? I don't like registering domains using
my real name.

~~~
ivank
I got such an email from Namecheap yesterday, and confirmed it with one click.

And unlike the intended trigger for verification ("changes to contact
information"), I didn't make any changes to my domain. Either a WHOIS cloak
expired, or some other action by Namecheap triggered the verification step.

~~~
gabemart
The email Namecheap sends out is very shady looking. I had to google around
quite a bit before concluding it was genuine. The verification link leads to
the domain raa.name-services.com and is not delivered over https. It looks
exactly like I imagine a targeted phishing email to look.

~~~
dangrossman
That's the same domain they use in the e-mail you get asking you to review the
accuracy of your WHOIS data. They send that e-mail for every domain you own,
every year, as required by ICANN. For Namecheap customers, the domain should
be familiar, after the first mail at least.

The subject line of those mails is: Important Notice Regarding Your Domain
Name(s)

The new mails have a stronger subject line: IMMEDIATE VERIFICATION required
for [domain]

------
Canada
Everyone who's already screwed themselves with domains by proxy is in for a
new world of hurt.

~~~
talideon
If you're talking about the GoDaddy service, they're not. If you're talking
about WHOIS privacy services in general, then possibly.

If you use a registrar's WHOIS privacy service, then the registrar still has
the (supposedly) correct details and are simply masking them in WHOIS. There's
no issue there. However, if you're not using the registrar's own WHOIS privacy
service, then yeah, you're potentially opening yourself up to a world of pain,
as (a) the domain is no longer actually registered to you in a manner
verifiable to the registrar and (b) you might not be able to receive important
notification emails that the registrar is required to send you (such as expiry
notices).

------
nitrogen
Cui bono?

~~~
talideon
Law enforcement agencies. They're the ones that asked for this nonsense.

------
Cless
So much linkbait on HN today.

------
throwaway-icann
This bit me kind of bad yesterday.

I was about to drive out of cell range and got a text that client's site had
some strange page displaying.

Unfortunately, they repoint the dns servers of the domain, and the client had
the contact email mx records associated with same domain.

The actual site gets 'dns hikacked' by icann until you fill out a captcha on
your site's new page and it emails the whois email account on record with the
link.

Had to log into the registrar, luckily had the client's account info, changed
the email, and got it verified.

That was 3am yesterday.

Says it takes 24 to 48 hours to updated, but it was only like 8.

Still, if you had an ecommerce site or conduct time-sensitive business via
email, be careful.

Because, if you do not see the email, your site will be hijacked by ICANN.

~~~
jrockway
How do they email you if your contact email is on the domain they just
suspended? Time to set a TTL of 100 years, or something, I guess.

~~~
cschmidt
You should never use a contact email that is on the domain for the DNS record
in question. Only bad things can result. I use my most basic fastmail.fm email
for that purpose.

~~~
jrockway
google.com appears to use a google.com email address in its DNS record.

~~~
jessaustin
Google probably have a real live person they can call if this gets messed up,
or even has the potential to get messed up a few months from now.

