ICANN Recommends ‘Substantial,’ ‘Surprising’ Delays in New gTLD Program to Address Security Concerns

ICANN staff proposed the delay for all new gTLDs, based on the results of an independent study published Monday (http://bit.ly/154OEJQ). The study addressed the potential security impacts of applied-for new gTLDs that might present name collisions with non-delegated TLDs used in private namespaces, which has been an ongoing topic of discussion within the ICANN community for at least four years (WID June 5/09 p1). The activation in the root of strings identified as “low-risk” should be delayed by at least 120 days between contracting and launch to “help mitigate the risks related to the internal name certificates issue,” ICANN staff recommended in a separate proposal on how to implement the results of the study (http://bit.ly/13DacBH). After delegation, the new gTLDs must be delayed by another 30 days to allow operators to notify the point of contact for any IP addresses that issue DNS requests for the name. Staff also said the high-risk strings .home and .corp should not be delegated unless the risk could be substantially mitigated. A remaining 20 percent of strings, for which the study could not calculate risk, should be delayed until they can be further studied, staff said.

"It wouldn’t have any impact on the time to delegation,” said Cyrus Namazi, ICANN vice president-DNS industry engagement. He said that although the 120-day wait would be required under the current proposal, it could go on concurrently with the Sunrise, Claims and testing periods currently required before delegation. He said the 120-day recommendation was the “ultra-conservative” option. If the community says most strings could have risks mitigated within 55 days, “we're very open to that,” he said. “We are confident that the community can come back and essentially help us improve on it."

Applicants said the delay wasn’t necessary to address the risks. “Any and all issues can be resolved within the current timeframe, as by most accounts, we still are months away from the first delegations,” said Raymond King, CEO of Top Level Design and an applicant for .wiki. A spokesman for the portfolio applicant Donuts, Inc. said “Donuts believes, and our own research confirms satisfactorily to us, that dotless domains and name collision are not threatening to the stability and security of the domain name system. Name collisions ... happen every day in .com, yet the study did not quantify those and VeriSign does not block those names from being registered.”

"We're concerned about false impressions being deliberately created and believe the reports are commercially or competitively motivated,” the Donuts spokesman said, echoing the earlier concerns of CEO Paul Stahura, who has criticized VeriSign for overblowing security issues in an attempt to maximize .com registrations and minimize registrations on other TLDs. “Rather than take the overdone step of halting or delaying these TLDs, if the issue really is such a concern, it would be wiser to focus on the second-level names where a conflict could occur,” the spokesman said. “As the NTIA recently wrote, VeriSign’s inconsistencies on technical issues are very troubling. These issues have been thoroughly studied for some time. It’s far past due to conclude this eight-year process and move to delegation."

The .home and .corp strings could be “out of the game forever,” said Phil Corwin, Virtualaw attorney representing domain name owners. The staff proposal doesn’t outright call for their rejection, but it does set the bar high for mitigating the risks presented by the strings, he said. Both .home and .corp have several applicants, including Donuts.

Delayed delegation will necessarily affect applicants’ business models, and applicants could also be subject to additional cost burdens if they're required to reach out to the point of contact for any query their TLD receives in the 30 days after delegation, said Brian Winterfeldt, a Katten Muchin lawyer who represents intellectual property interests. He said some applicants are worried the added delay will “merely provide the Internet community and/or ICANN time to gather more questionable evidence regarding their risk,” giving them the opportunity to “unnecessarily push” the uncalculated-risk strings into the “high-risk” category.

"The applicant community is asking tech-savvy people in their organizations to get involved and draft public comments to address any issues where they believe ICANN is overreacting to unnamed and unspecified issues,” Winterfeldt said. Namazi said ICANN would welcome their input, and “it is important to note that the entire recommendation is posted for public comment.” ICANN did the study, he said, “and engaged the analysis and [came] up with a strawman approach that is being endorsed by ICANN and some of its technical resources. But the power really ultimately comes from the masses. That’s what makes it stronger and effectual, and this is how we tap into it, by enabling this conduit of info exchanged” in comment and reply periods.

Potentially problematic requests for applied-for TLDs come from thousands of sources, said the study, which was done by the independent Interisle Consulting Group. “The delegation of almost any of the applied-for strings as a new TLD label would carry some risk of collision,” it said. Preliminary results of the study were released in Durban and showed that strings like .home, .corp and others received millions of DNS requests in a 48-hour period. Of the 1,409 distinct applied-for TLDs strings, all but 42 appeared as queries in the 48-hour period they studied. Several stakeholders, including Internet infrastructure provider VeriSign and the certification authority DigiCert, have warned ICANN this year that many enterprises currently employ TLDs like .corp or .home to designate their intranet, which would explain the multitude of requests. They worry that if ICANN delegates those strings or other potentially problematic strings, end-users querying long-existing servers could be re-routed or even sent to phishing sites. The study also said collisions could lead browsers or other computer software and hardware to consider public queries to new TLDs a low security risk, if it assumes they are local queries rather than public ones.

The study found that a substantial percentage of the problematic requests come from a security feature in Google’s Chrome browser and its interactions with common residential routers. Other problematic requests come from routers that add a non-existent TLD to the end of a valid query, like .home. The potential for name collision with new gTLDs doesn’t always arise from router errors, however. It “often arises from well-established policies and practices in private network environments,” the study said. “Many of these were widely adopted industry practices long before ICANN decided to expand the public DNS root; the problem cannot be reduced to ‘people should have known better.'"

Stakeholders told us in interviews this week they were surprised ICANN was willing to delay the program for the risk. Senior ICANN executives said earlier this year the risk only applied to “a very small number of TLDs,” said Dan Jaffe, Association of National Advertisers group executive vice president-government relations. “They now made clear that, at least for two of the domains, the risk is so high they won’t consider rolling it out until that risk is mitigated to a low level, and for as much as 20 percent of the domains, they're saying the risk is unknown but could be significant. That’s a major change in tone.”

Several stakeholders, including Winterfeldt, said they wondered why this study had not been done before applications were accepted. Namazi said ICANN couldn’t anticipate such specific problems before it saw what strings applicants wanted. “Until you actually know specifically what the strings are, the distinct strings, then you're actually sort of looking for a needle in a haystack,” he said. “We had to know what strings to go after to be able to conceptualize and be able to synthesize the impact level, and that didn’t take place until middle of summer of last year, and ever since then there’s been studies taking place."

Jaffe said the staff recommendations, while “substantial” didn’t go far enough in addressing the potential security risks. Since the report said delegating almost any new gTLD would carry some risk of collision, he said ICANN had an obligation to study all of those risks qualitatively. “If there’s some risk to all of them,” he asked, how did ICANN determine that 80 percent of the strings carried a “low risk"? He took further issue with the study’s investigation of only a 48-hour period of Internet usage, saying major issues could still occur that hadn’t been captured in that time frame. “They are trying to rush a little bit and to keep the ball rolling, which I appreciate and I understand their desire to do so, but what they're charged with is the very major requirement to keep the Internet safe, secure and protective of the Internet users, and that takes a lot of careful analysis,” he said.

ICANN also released late Monday the results of an independent study into “dotless” domain names, or those single-label TLDs with no second-level domain and no dot, which it found could be “dangerous” to the Internet (http://bit.ly/188h6yn). The study, done by Carve Systems, said dotless domains could lead unsuspecting consumers to send private data over the Internet rather than a local network. The study also said the use of dotless domains could make networks vulnerable to cookie leakage and cross-site scripting attacks. Since Microsoft’s Internet Explorer assumes dotless domains are local network resources, it is coded to trust those sites. “A bug in a dotless website could be used to target any website a user frequents,” the report said. The report recommends certain strings, like .mail and .local, be banned from use as dotless domains, but stops short of banning them outright. It suggests substantial educational and outreach efforts could be taken to mitigate the risks it identified. “The Board’s New gTLD Program Committee will consider steps to be taken to mitigate the risks of dotless domains later this month,” said Akram Atallah, ICANN president-generic domains division, in a blog post (http://bit.ly/14h1CZ1). Google is the only new gTLD applicant to have said it wants to operate a term, .search, as a dotless domain. It had no comment for this story.

Donuts’ spokesman said “there is little reason to pre-empt dotless domains now when there are ICANN processes in place to evaluate them in due course. We don’t believe that ICANN resources need to be deployed at this point on understanding the potential innovations of possible uses nor any security harms.” But Virtualaw’s Corwin said the “surprising” report was largely in line with other studies ICANN has issued on the same topic, and that its findings were less than surprising.

NetChoice Executive Director Steve DelBianco said the security delay was the latest in a “perfect storm” at ICANN, following the controversial advice from the Governmental Advisory Committee in April and last month, and growing concern from businesses that use internal domains and certificates. “ICANN is responding with an entirely sensible plan to hold .corp and .home, and further study of the 20 percent of TLDs with ‘uncalculated risk,'” DelBianco said: “But it still seems like ICANN wants an umbrella to shield itself from liability if this storm brings any claims for damages and mitigation costs due to problems caused by the expansion.” Corwin said ICANN would have to delay the program if it felt security issues were substantial, because “ICANN’s success and support and, frankly, the success of the whole program depends on not having any severe tech issues arising from the introduction of new gTLDs.”