You know what would make whois data more accurate? Requiring that registrars provide basic anonymization without any extra fee and build a meaningful process for situations where breaking that anonymization is actually the right thing to do (ie. not an opportunity for collection of bulk mailing address and phone number lists for spammers and phishers).
It would cost the registrars something to do so, obviously, but so does this. And a basic level of privacy should never have been allowed to become a premium service to begin with.
Agreed. The mere idea of having to globally expose your personal details is idiotic. Or at least it belongs to a more civilized society we're not seeing a glimpse of yet.
Not a more civilized society. Just a time when the number of people with access to the internet (and thus the whois database) numbered in the hundreds and not the billions.
It's not about the numbers. It's about people. Right now not a single individual can be trusted not to misuse somebody's personal details, through malice or negligence, and not create a severe risk for the owner. Being one in a narrow selection of computer professionals doesn't help much. One can be a genius and a person of low ethical standards at the same time. No solution until the civilization progresses much further than what we have now. Until then, lock down the Whois database. Even better, discontinue it altogether. Let individual registrars hold the personal details of their customers. At least it will remove the risk of compromising everyone's privacy with one action by not putting all eggs in one basket.
To start with - I absolutely agree with you about what should be done now. I just thought it was worth explaining why the system came to be the way it is now.
And i don't mean to imply that the computer scientists of yesteryear were somehow more honest people. It's just a lot less likely for someone to cheat in a group of a few hundred, where everyone is at most one degree of social separation from everyone else, and everyone is in any case very similar in background. Harder to screw over someone you see at all the conferences than some random stranger online, and if you do there will be social, not just legal, consequences.
The worst part in my eyes is that at least with some registrars (I experienced this with Dotster), you have to disable whois privacy in order to transfer the domain away. They don't let you receive the authorization code at the anonymized email address, so literally the only way to transfer the domain to a new registrar is to turn off privacy, exposing your information to the world. There may be a technical reason behind this, but it feels more like a way to hold you hostage and prevent you from transferring.
For what it's worth Google Domains provides free privacy and a few other things (including up to 100 DNS entries per domain). They cost a little more though.
Yea, transferred one domain and it was $10. I haven't heard from them, so I'm assuming it went smooth. After being stalked by Godaddy over the years, I think I developed Stockholm Syndrome? Hay GoDaddy--I will date you again if you bring back coupons for renewals? We were together a lot of years, let's not breakup over money?
(If any Registrar reads this, could you explain the extra cost of providing free whois privacy? It seems like the cost associated would be minimal, and the payback would be huge? I heard the true cost to a company for a .com domain is around $7.00? Go ahead and add one or two dollars to the domain for profit. Just be consistent, honest, and no shenanigans. Oh, I looked into Gandi--and they are just to much money.)
Funny enough, Laurent Chemla (Gandi's founder) did publish an essay in 2002 called "I am a thief", denouncing registrars' artificial prices (Gandi did cut prices at that time).
Uniregistry.com provides privacy at no extra cost, along with other useful features. I moved all my domains over last year and have been pretty happy with them.
I have a small number of domains (about 15 at last check) - and most of them have a mailing address from 16 years ago. If all they verify is email, why does this process have any value? It's not like you can't (A) Spin up a random mail server in 30 minutes, or (B) save yourself the trouble and just use mailinator.
This, finally, is the most pure form of security theater I have ever seen. There is no possible argument that this would deter any bad actor from doing bad things with their DNS domain - totally useless policy.
It is indeed useless, but it's much more involved than just contacting you the once: registrars are required to contact you at least yearly and after any contact updates, and if your mailserver isn't up and running, and you don't confirm the details, you'll end up with the suspended domains.
It sucks, and I'm saying that as somebody who works for a registrar.
You're wrong. What you've been seeing are WDRP emails. Those you can ignore. WAP is something completely different: you must follow the instructions outlined in the email, or your domain will be suspended.
Nope. This policy, WAP (WHOIS accuracy program), was enacted as part of the 2013 ICANN RAA. ghshephard is thinking of WDRP (WHOIS data reminder policy) emails, which came in as part of the 2003 RAA. The new policy, is independet of the WDRP.
Sure - I'm just saying that other registrars do send those emails out, with threatening sounding words about how I have to fill in my contact information. I ignore it. They've never done anything.
The WAP emails you'll be receiving are something different, and you will be required to respond. If the email bounces, or if you don't confirm the email within 15 days, you risk your domain being suspended.
It's funny you mention spinning up a new email server, I've had to do that for a domain I stopped using about 5 years ago, but had used for almost a decade at one point... you'd be surprised how easy it is to miss changing an account/email address.
Of course that was within a year or so of taking down the old domain, and haven't had issue since... just the same, it's interesting how painful an option can be at times.
It has value to you. What are you going to do when you get a default judgement against you and get your domain(s) transferred away from you because you decided to be cute and put 123 Elm St. for your address, preventing service of process?
The comment I was referring to was that sentence about working with LEAs to ensure accuracy.
If I really have concerns about losing a domain in a legal process, (I'm a corporation, or ongoing business) - I would use the services of a domain name portfolio management company, like MarkMonitor. https://www.markmonitor.com/services/domain-management.php
The only thing I've ever got to a mailing address related to a domain registration is junk mail from a registrar trying to scare you into renewing with them. That was from Melbourne IT back about 15 years ago (for a .com.au domain).
Yes, but the point the OP is making is that it is a worthless guarantee. You can just use a throw-away email. And given the target audience, this is should not even be considered a significant barrier.
Well, blame the law-enforcement agencies: they're the ones that forced ICANN's hand on this. The registrars, particularly the European ones, fought back, and the policy is nowhere near as bad as it once was going to be.
However, even before now, you could easily lose your domain due to a missed email. For instance, if you don't have your domain on autorenew, it can end up in redemption (which is expensive), and eventually deleted. And, as of the 2013 RAA, if you don't renew your domain, your registrar is required to park the domain with a non-renewal notice a few days after its expiration date.
OK... so a false positive from a spam filter can make your site go down for as long as it take to straighten out the mess. That's not a whole lot better.
But if they're able to contact you then the exercise was pointless and if they're NOT able contact you they disable your domain. How does that help anyone?
Assume that the purpose of this exercise is to ensure there's some way to deliver a court order, subpoena or other law enforcement notice to a domain owner. In that context, this is going to ensure either (a) there's at least an e-mail on file that reaches the current owner, or (b) the domain can't be used for any illegal purpose, so the issue is moot. It's not a perfect system, but it'll probably do the job in 99%+ of cases.
That's ostensibly why the system is good for lawyers and law enforcement. It seems like it's only bad for domain owners.
And I really question how useful it is for even the purpose you outlined. Considering that a) your registrar could easily be subpoenaed for this information if there's a genuine need and b) Anyone who has the tech savvy to register a domain with plans to do something illegal with it surely also realizes they can register a free email under a bogus name.
Except that I would never want my name/email associated with a domain name - spam central. My registrar has my contact information when it comes to renewal, or to contact me for an issue, but the domain names all have dummy values.
If you've provided invalid contact information on the domain, you're in breach of the TOS, as ICANN requires that domains have accurate contact data on them.
Disabling your domain is an effective (though unreasonably heavy-handed) way to contact you, and to force you to provide contact info if you care about the domain.
Coincidentally, the service some registrars use to do the verification (wdrp.name-services.com) is down right now. How much fun must it be to watch your business taken off the 'net because you can't click a "this information is accurate" button.
Absolutely. I have a few domains registered with Dreamhost too, and I almost didn't bother to check because I was positive that email was spam. And the Dreamhost reps couldn't be bothered to write more than a few words about it on the forum. Namecheap and a few others seem to be sending out identical emails.
For any phishers out there, there is an obvious opportunity waiting.
WDRP is different from the Whois Accuracy Program. All that's required there is that registrars email registrants and admin contacts a reminder showing the current WHOIS information for their domains. No confirmation is needed.
The Whois Accuracy Program is different, and requires contacts actually confirm stuff.
No irony: the registrar has to validate the details they have on record. If you have WHOIS privacy set with the registrar, they still have your unmasked details, in which case they contact you on that address, not the one presented in WHOIS.
This is part of the reason why you should use your registrar's WHOIS privacy service rather than some third-party one: by providing the registrar with incorrect details, you're in breach of terms of service ICANN requires registrars enforce.
"- Provides an email forwarding service to your real address as above"
Another suggestion - the service keeps a public gpg key you supply, and posts the email, after encrypting it to you, to usenet/pastebin/wherever searchable (perhaps by the key fingerprint?), and maybe publishes notifications of that somewhere distributed (maybe a has tagged Tweet where that hashtag is the key fingerprint?)
Sign up over TOR, and you could have a pretty good "air gap" between you and any messages it receives for you. Wouldn't matter if they get subpoenaed or NSLed - they'd never be able to see who's _reading_ those messages.
BTW, you shouldn't use a third-party WHOIS privacy service. That puts you in breach of ICANN-mandated T&Cs as you've effectively provided bogus contact information to the registrar.
Registrars deal with this in a few different ways, I believe some will allow you to confirm only one email address if there are multiple domains in your account.
I've already started seeing spam and phishing attempts for official-looking-but-fake whois verification emails. It was obvious that this was going to happen when ICANN first announced this new requirement, and I'm only surprised that spammers haven't been even more on the ball about it.
We haven't yet begun to see how ugly this stupid new program is going to get.
Can we just agree that either now or in the near future the idea of thought or expression without attribution is a thing of the past. Something that our grandparents internet had but not for us.
This slow crawl of both policy and protocol toward greater bureaucracy will have a much more permanent effect than say the NSA/GCHQ spying.
not really. Although generic internet users keep making the internet a "safer space" , there will be a critical point when a fork will occur for those who still think the internet can be interesting.
Reddit can be seen almost as an anonymous fork to some degree. Obviously it doesn't share the same network concepts, but the spirit of anonymous information sharing is there.
The whois accuracy program is such an enormous pain in the arse. It's worthless junk law-enforcement agencies demanded be included in the 2013 RAA that will have no useful impact on anything. It's just a massive resource drain on registrars.
Yup, but for customers, it's just a periodic annoyance. For registrar, it's a constant support overhead. I expect domain pricing to increase as more registrars have to move over to the 2013 RAA.
I still have a really hard time with the idea that a domain needs to have "valid" or "meaningful" whois data at all... ...and now there's this? Sounds like a fishing windfall.
I wouldn't have a problem with it if the data weren't so easily to crawl and parse by spam-bots and robo-callers. Ever since switching away from an whois-anonymization service for one of my domains, the amount of spam letters, emails, and robocalls from telemarketers I get has increased more than ten-fold.
For some reason people assume that these whois-anonymization tools are just used by squatters and spam websites, but I use it to someone overloading my physical/digital/voice mailbox.
I also got such eMails lately and was wondering, because I could find no connection between the web-address linked to and the company I was ordering from in the first place, nor any registering authority!
I also asked the company and they said that it was legit, but came from some kind of service provider.
Finally, the web site, I was directed to also looked very suspicious and less than professional (something, a hacker could have made up in a weekend -- and again no names, logos or information that could make up a connection to my business contacts).
I really would appreciate, when they could make the process more transparent and less phishing-prone -- so anybody could make up a nice sounding domain and fire eMails to people with domains ...
Somebody could think, that domain registration authorities have at least basic knowledge of internet threats ...
I have a domain registered under my real name and personal email address. Coming away from the article, my understanding is that my domain is liable to sniping if I step away from the Internet for more than two weeks (e.g., I go on a trek into the jungle somewhere) and don't take steps to have a friend or colleague keep tabs on the issue. This seems like a straightforward and obviously undesirable scenario; I wonder what came up in the ICANN consultation when it was discussed.
I believe the two week timer only starts if you initiate a domain transfer, modify your domain's WHOIS info, or have a renewal notice bounce. 2/3 of this are forces that are within your control, so you can at least plan around that.
Further, I beleive that if it does happen, your domain is just suspended, i.e. set to not resolve, and isn't available for anyone else to register/snipe.
This is a big opportunity for registrars to make their customers feel safer: "We will go to extra lengths to make sure you don't lose your domain this way. We will pick up the phone and call you."
"And in order for our thin margin business to be able to provide this new service we've opted you into, we've increased your registration fee by 50%. Don't thank us, thank the friendly folks at domain-admin@icann.org"
(in all seriousness, I expect the high end registrars probably will do this. Shame they're apparently not permitted to exercise discretion and not kill your website that nobody has objected to)
Yeah, like I need my registrar calling me all the time. What if you have several hundred domains? Are you really going to call and harass me about each one?
Sure, but you always have a few Truly Important domains, that you DO NOT want to lose. This is about those. An easy solution would be to charge you a few bucks more for domains you designate as Important.
No more than they would send you several hundred separate bills. If all the domains are linked to the same account, verify the account and you're done.
Oh, and one other thing: while other registrars tried to resist stuff like this being added to the 2013 RAA, EasyDNS were one of the registrars that sat on the sideline and did nothing.
Let's just say I don't have too much time for their moaning and griping now. They should've engaged with the registrar constituency back when the negotiations were happening.
We're in the RRSG now, we joined last year (better late than never) - that said - speaking as somebody who has been on the CIRA board and involved in early ICANN Whois TF, there isn't a lot that can be done about it. Registrars are pretty much a captive audience with zero power wrt ICANN and governance in general.
As individuals, yeah, but I know plenty of what goes on behind the scenes, and what goes on in the mailing lists is only a fraction of the story. A savvy registrar can have plenty of soft power if they know what they're doing.
BTW, you should get involved in the IETF provreg and eppext WGs: we need a stronger registrar voice there, and the more registrars involved, the better.
I wonder if it would be worth having a way to expressly request that easyDNS (and any other domain provider following this policy) send a test email for your accounts? This would be an email that looks like the one they'd send for this program (as close as possible to ensure spam filters treat it the same) but is labelled somehow as a test. This way you can make sure that a) the email address on file works, and b) the email will make it past your spam filters.
Why need it be a test? If verification just needs a click on a link it doesn't seem very onerous to require that click. If the mail doesn't arrive, you know you have a problem with a deadline NOW, instead of a randomly appearing problem in the future. The former certainly seems better.
The problem is you don't want to start the 15 day countdown if you have a problem receiving the email. Yes obviously you'd still have a problem because the countdown could be triggered at any time in the future, but it's still better to not trigger it immediately if you can avoid it.
That said, if the test email bounces, that might be required to start the countdown anyway?
The test e-mail is an e-mail from the registrar to the contact address, so if it bounces, the register is then required to send a real e-mail to that address, which will presumably also bounce. Then the countdown starts.
I have very little expectation that the boneheads who came up with this scheme considered this possibility, and therefore exempted test e-mails from the bounce-trigger requirement.
The imaginary black-hat that hangs out on my left shoulder has already suggested that spoofing a bounce message for a correctly delivered registered e-mail could be used for mischief. Phishing the domain customers is entirely too obvious for him, though the imaginary white-hat that hangs out on my right shoulder seems quite concerned about it. They both agree that black-hat wins this round.
How? By finding bugs in the interface that allows hostile users to set new values for the email address at the registrar and using this for triggering the 15 days period?
Why bother with looking for interface bugs? Domain owners have been told they risk losing their website if they don't respond to requests for confirmation of the details of their domain name. So how about I send some emails asking them to urgently pop by my website, which looks very much like the registrar's website, and log in to update their details?
Or if I didn't want to do anything actually illegal, I'd probably have an enhanced chance of success in pulling off the Domain Registry of America scam and convince people they must update their details [by transferring to my registrar] in the next 15 days.
Seems almost certain to become the most frequent uses of the contact details ICANN has kindly ensured will be up to date and accurate.
To me, one issue seems to be that ICANN dares to demand of the registrar that they must verify the contact information that is REQUIRED to be present in a registration... that's not really a sane stance to have when you sell a subscription to what is basically an identity, so lets put that aside.
One other complains is that this verification procedure is really weak: "just send a mail with a link to the address provided"
Imagine if ICANN changed their rules so that a more substantial verification process of the MANDATORY fields was required? Like if they didn't make it optional to verify the telephone number, what would easyDNS do then? From their post, I presume they would go insane, declare Holy war on the ICANN, and then start assaulting ICANN officers with the sharp edges of their ibook 12"
They also complain that its a huge phishing opportunity because they must send mails with a link for people to click, but according to the ICANN spec they link to the actual requirement is[1]:
"""
[...] sending an email requiring an affirmative response through a tool-based authentication method such as providing a unique code that must be returned in a manner designated by the Registrar
"""
So the mails looking very phish-y is entirely their their own choice, the spec does not mandate that the title is "Look at these funny pictures, friend" or anything.
Finally, they complain this will lead to a lot of big sites going down because they are forced to suspend domains if people don't take certain action within a certain time (although they don't clearly argue that the time is too short or something like that). But big sites already go down because the dns owner has been negligent with their interactions with their registrar, like failing to pay their fees for instance.
So the phisher registers a new domain, gets the real authentication e-mail, alters it to insert a malicious payload of some sort, then mails the altered copies to the marks. The validation e-mail notices may be triggered by events that are not verifiable by the customer, so if one shows up out of the blue, you have no way of knowing whether the registrar got a bounce from temporary network congestion or whether some phisher got your unredacted WHOIS record.
No matter what the registrar does, the phisher can obtain and alter a copy of it.
The only way to stop the phisher is to inconvenience the customer in a much more annoying way. The registrar could remove all hardpoints to which any phisher could attach his payload, such as by omitting phone numbers, clickable links, scripts, or customer-identifying information. That leaves, "Contact your registrar as soon as you are able, or your domain may be disabled within 15 days."
Anything that anyone does to make the validation process easier could be hijacked to put the customer in the phisher's false reality.
What would occur if ICANN, at the behest of law enforcement, changed their rules to require a phone conversation explaining what the domain is for, forms filed in triplicate, a cheek swab, a rectal exam, and 1% ownership in the company?
If ICANN turns into an unacceptably bad actor for whatever reason, where does that leave the Internet, what is its recourse?
I don't blame ICANN for this: this demand came from the law-enforcement agencies. I know that internally, ICANN would've been happy sticking with the existing WDRP process.
What is ICANN's motivation for complying with law-enforcement agency demands? Quite a number of them have proven themselves to be bad actors in the past, and there are provisions in civilized society that restrict them from actually demanding things, absent a specific court order. Which shouldn't really apply to an international regulatory body in a prescriptive manner by most standards - and if it gets such orders it needs to leave for another flag of convenience that doesn't cripple a global infrastructural standard.
"The Net interprets censorship as damage and routes around it" should be the ideal we aspire to. LEA and intelligence-agency intervention in the Internet system is typically damage to our liberty-printing machine, one way or another. Their incentive structure offers no benefits and poses a lot of difficulties in dealing with a free Internet. Pressure from them should be expected as an open adversary to the free Internet, and defended against.
They might've proven themselves to be bad actors, but they're backed by national governments, and that gives them a lot of sway when it comes to these things. LEAs do have a legitimate interest in this kind of thing because domain names can be used for fraudulent and otherwise illegal purposes, which is why they're involved in the process. However, it's up to the other parties to moderate this influence where possible, which is what the registrar constituency fought for in the negotiations.
Actually has value for law enforcement despite what some commenters seem to be saying here. For example if the contact info is not valid then it would be a quick and easy process to take the site offline for a cooperative registrar.
Law enforcement were still the ones who demanded it. ICANN and the registrars didn't particularly want this. In fact, what the LEAs were originally demanding was full verification and validation of all contact details supplied to the registrar.
I know this, because I work for a registrar and was privy to the 2013 RAA negotiations.
I also work for a registrar. Keep in mind that the policy is also an opportunity for registrars to charge for taking a domain back off of hold the same way that they can charge for bringing a domain out of redemption over and above what the cost is for doing so.
Yup, they can, but monetising that kind of thing would be pretty scummy. After all, section five of the spec states that all we need to do is put it on client hold and prevent outgoing transfers, though we can potentially terminate it by putting it in redemption. Unlike redemption, which is pretty costly, there's no real need to charge people to unsuspend the domain.
No doubt, some assholes out there will try it, but I know we won't.
Why do you feel (honest question here) that charging something or anything would be scummy?
"there's no real need to charge people to unsuspend the domain"
By that token there is no need to charge people for many things that businesses charge for that don't cost them any money at all (or a nominal amount) and are pure profit. Or even to charge for bringing a domain out of redemption over and above the actual reimbursed cost for doing so. The fact also that some registrars charge typically or don't charge shouldn't really enter into the picture of "scummy" or "not scummy" by any company that chooses to have a different process.
Not that by what I am saying it should matter but the mere fact that you are putting a name on hold means that your support or customer service costs should in theory increase. If a name is on hold then that means a customer could call or write an email which has to be addressed by a person possibly. And there is a cost to providing that service. It is not zero obviously.
No, I don't feel that charging for something is scummy. I do feel that charging for unsuspending a domain due to WAP is scummy. If some other registrar wasn't to do it, fair enough, but given the cost of unsuspending them approaches zero, unless we need to contact them on the phone, by post, or something else that requires human interaction, I feel the unsuspension fee should be nominal at most.
I get tons of these WHOIS emails as I build websites for small businesses. The last ICANN email I see regarding WHOIS data accuracy said the following (GoDaddy)
"If you find that your domain contact data is current and accurate, there's no need to take action. If, however, your domain contact information is inaccurate, you must correct it."
This was sent on May 5th - when does this new policy take effect or does it only effect when you renew/transfer/register?
Edit: I RTFA again and see that the date is June 23rd(?)
The email you received was a "friendly reminder" to make sure your registrant contact information is accurate. It is officially called a Whois Data Reminder Policy email.
If it was accurate, GoDaddy is correct - there is nothing further for you to do.
If, on the other hand, the email they sent you would've bounced back as undelivered then you would've ended up into the next phase. "Click this within 15 days or else."
In fact, GoDaddy in particular (used to?) charge you $25 as a penalty if they determine that your whois information is incorrect. That's the reason I took my domains elsewhere.
Oh wow, OK thanks for the tidbit - I will be in the lookout for my clients - many of whom barely know where they registered t heir domain, let alone the accuracy of their WHOIS contact data.
Some registrars do it differently to minimise the junk that gets sent out. For instance, the registrar I work for groups domains by email address when sending out WDRP emails, so if you have, say, ten domains with the same expiration date, you only get one email.
That email you got out was a WDRP email; the WHOIS Accuracy Program is a different policy.
Rather than be harassed by ICANN emails it would be preferable for EasyDNS to handle any admin issues on a case by case basis. That should, after all, be included in the cost of buying a domain. I always made sure my registrars were handling this on my behalf, and for domains where I was required to submit personally identifiable information; I let the domain expire and die. It's not worth the hassle. I don't work for free.
Many ccTLD registries have stricter policies when it comes to WHOIS data, and actively audit their contact databases for dubious data, place restrictions on contact updates, or actively review registrations and contact updates to ensure that the contact data provided is valid.
.me, .co, .io, .ac, .sh, and a few others, are relatively easy-going. .us is straightforward enough too, and though there are technically restrictions on who can register .us domains, they're not really enforced all that actively by Neustar. I really like the .me registry: they're good people.
Registrars don't get domain names from ICANN. Registrars get domains from registries. ICANN is simply the regulatory body for registrars and registries. Registrars have to be accredited with ICANN before they can contract as registrars with registries.
If you can think of a way to make an alternative DNS root take off, I'm all ears. If you can some up with a non-hierarchical alternative to DNS that (a) is as fast as DNS, (b) isn't prone to spoofing or squatting, (c) isn't riddled with security and trust issues, and (d) actually works, I'm also all ears.
Personally, I don't think it'll happen any time soon. The only successful DNS fork is North Korea's.
I agree. It won't happen any time soon. The way I see it, it will be sort of a revolution (or a slow change?), and the current system will become irrelevant. The only viable alternative that I see is a peer-based system based on peer trust, a departure from a centralized system. The same thing should happen also to the certificates and root-certifications where "trust" is traded now in exchange for money.
Agreed 'click here to confirm your details on domainadmin.com' looks suspicious. Maybe EasyDNS can send their customers a 'heads up' email to let them know to expect the whois accuracy email?
Phishing training companies will actually use this tactic (they call it 'double barrel'), which makes me think that real phishers are already doing this, too. What I think would be better is an email that said to go log into your account to complete the confirmation, instead of following any link in the email itself. It's less convenient, but it's not something that phishers would tell you to do.
It is decentralized, you can spin up an alternate root right now. The problem has been, and always will be namespace coordination.
You can argue that ICANN could have done better. And part of me still cares, but of course ICANN fucked up the existing root. In the current business and legal climate, it's basically a foregone conclusion.
That's not decentralization; that's just moving the single-point-of-failure.
A better system would be something based on a cryptographic blockchain/ledger, like Namecoin. Thus, no reliance on a central authority to decide which domains are or aren't valid; you instead just look at the ledger (which is maintained decentrally by network participants).
Oh, you're talking about decentralization to mean remove any authoritative control over a zone (rather than ability to choose the delegation system), which also requires upending the resolution design. I'm largely just referring to the namespace management and rules attached. In that respect namecoin isn't a particularly interesting entrant. It doesn't really fix problems with namespace coordination unless you decide they're irrelevant next to maintaining namecoin's ideologically purity.
If namecoin were to take off it would just collapse under it's own weight once squatters move in. So, outside of ICANN pushing huge and onerous changes down to their TLDs, I don't really see the utility for namecoin beyond providing resolution for services that would get their domains revoked by a registry for policy reasons or following legal orders.
We can't even deploy IPv6. What's your plan for getting your system deployed in every Internet connected device, including ancient routers without cryptography chops and refrigerators, then transferring the multiple billions spent on the current namespace into your system without conflict?
Actually, all my traffic is v6 by default using Telenet (Belgium) and XS4ALL (the Netherlands). And yes, those are mainstream ISPs. Lots of services, most noticeably Google and thus Youtube, use it by default as well.
We're nowhere near 100% yet, but as the need increases we are getting there.
As anyone who knows what you just condescendingly explained knows, anything short of 100% doesn't alleviate the problem that motivated IPv6 in the first place. Until absolutely everything is accessible via v6, we must continue to allocate v4 (or, worse, NAT it all), so we aren't really anywhere.
It was a side point. I'm on dual stack Comcast, so I already knew what you're telling me, and I made the point nonetheless.
First of all, sorry, I did not mean to be condescending. People keep repeating we can't do X because we can't even deploy IPv6 and X is an equally large or bigger change. Since I've got v6 for years and am getting it in more and more places, we're getting there alright.
So I do not understand how you can say we cannot deploy v6. You are running dual stack as well, clearly we are on the way there? And yes of course we first need widespread deployment before we can turn off v4 entirely, but the fact that we both have it means that people are getting it and that we can turn off v4 at some point in the future.
And as an aside, we don't actually need 100% exactly: at 99% (or something) it's not going to be cost effective to get v4 addresses for everything anymore and more stuff will become v6-only.
I'd rather look up an identity to find what they've published rather than looking up a name to talk to a server that will hopefully give me what they've published. Luckily, cryptography lets us do that.
What really sucks is that the email some hosting providers are sending out looks really super spammy. If I hadn't paid very close attention and Googled the issue, I would have trashed it. At least in DreamHost's case, they look like phishing emails and the links go to a non-DreamHost domain. But if you dig into the DreamHost support forums enough, you'll find confirmation from a developer there that it is legit.
And that's all you'll find. So who knows. It's a pain in the ass.
I dont even understand how ICANN can make that decision which has very dubious benefits. The equivalent would be to require all newspapers to disclose the real name, telephone email and address of everyone who writes an article or puts an advertisement in their pages. I might even get it if ICANN required a private registry with these data; But the useless whois database only serves as a goldmine for spammers that want me to renew my domains for $1000. this is illogical and i m at a loss
They try and appear to be very open about the whole thing, but no mention as to why they need to be accredited in the first place? Can they just choose not to get the accreditation and still give out .com domains?
Nothing stopping you (or them) from from reselling domain registration from another registrar - but being accredited gets you more features and very cheap registrations.
I have no problem with the Whois Accuracy Program. Make sure you have up to date whois contact info, or use a whois privacy service if you don't want your contact info public.
Should web surfers have to right to see who owns a domain (via whois) even if the domain owner doesn't publish that info on the site? Should they have the right to (try to) contact the domain owner via the whois and have a reasonable expectation that that email is going to get to the domain owner (even if they choose to ignore it)?
If ICANN believed "web surfers have a right to see who owns the domain" it would ban DNS privacy services rather than enacting this bullshit.
I actually think the rights of web surfers are far more infringed upon by being unable to access a website because the contact at the organisation that built and paid for it was on holiday or ignored an email (or possibly didn't even see it because the spam filter thought it looked like a phishing attempt)
I cannot believe you are defending this.
And for the record, as a domain owner I actually don't think you necessarily have a right to email me or the non-technical administrative contacts to try to sell us similar domains or persuade me to switch to your dodgy registrar. Even if I don't provide an email address there's always the option of taking it up with the registrar if there's a genuine legal issue with the domain or what it points to.
Notahacker, I actually wasn't defending it at all. Just offering another perspective for argument's sake. ;)
If we even allow anyone to view a whois record, then should it be accurate? So, why not just get rid of whois entirely if it's going to either contain false information or no information at all?
I totally agree with you that people shouldn't ben able to email you at-will, just trying to sell you something, sell you a similar domain, or try to switch you into moving to another registrar. (Generally those would fall under email spam, anyway?)
There are other reasons why people need to contact site owners, though. Like because of DMCA requests, or maybe even their site is broken, contact form on site broken, or something similar.
But again, if the whois data is going to be inaccurate, missing, or just false then why even have it in the first place?
As someone who owns a personal website/domain -- not a business one -- I have never been legitimately contacted by visitors via the whois info; but now that I switched away from whois-privacy service I get several letters a week, 2-3 robocalls a day, and hundreds of spam emails a week from bots that spam legitimate whois contacts.
I never understood why the .com (.net, .org etc.) domains provide the registrant information via port 43. Denic for example only provides information about Tech-C und Zone-C. The other information are behind a Captcha.
I don't think there are any generic rights of a web surfer: most of the web is private property, and the rights set by some EULA.
I also don't see any obvious reason for why this particular technical problem would count as violating the users rights by denying access and others would not. So for instance you can claim that broken dns records violates the users rights by denying access, but then you also must agree that a broken device driver is violating the users rights of access. Have fun with that.
For the avoidance of doubt I'm not suggesting web surfers actually have or should have any legally valid right to browse a particular piece of content.
But if you asked me to choose between a 'right' to access a website the owner had intended to make available to me or a 'right' to reach the owner's administrative contact, I think I'd consider the former more important. Then again, I'm not a lawyer, a phisher or a spammer, so ICANN's policy change isn't really meant for me.
> Should web surfers have to right to see who owns a domain (via whois) even if the domain owner doesn't publish that info on the site?
By "who owns", this means, "give out their name, address, phone number and e-mail address."
So in that context, that depends. If they are a business, then yes. There should be corporate contact information there.
If they are a non-commercial hobbyist site, then no. Absolutely not. Think about the incredible harm this would have on stalking victims. Or how about enabling more swatters?
Like domain registrars and certificate authorities; domain proxy services are just another tax on citizens wanting to participate on the web.
I think the issue is that ICANN belives it has the right to contact information to the people it has granted a licence of a domain. I believe Whois information isn't really intended for the end users, but rather the administrators of the DNS system.
I had to do this back when I used GoDaddy just a few months back. I was able to verify all of my domains but one. For whatever reason I'd click on the link in the email, go to the page, verify it then get another email a few days later since I didn't verify it.
Fortunately it was a domain I was going to let lapse so I didn't bother trying to deal with their support but I swear I verified it 3 different times and never once did it say it successfully went through. Very frustrating experience.
Is there a reason registrars aren't cryptographically signing these messages? That would give everyone a relatively simple way to verify that they aren't forged. I get that not everyone who will receive these messages are technical enough to figure out PGP or S/MIME, but it would be trivial for Gmail, Outlook.com, Yahoo Mail, etc. to put a pretty seal on these signed messages.
I think when I get one of these from my domain registered through Dreamhost, it says something to the affect of "Log in and check, if it's OK do nothing", which is much nicer than having to log in and take action (like I have to do with Godaddy). I'm basically not required to do anything.
Is that an option? Seems to sidestep these rules, but these rules seem silly.
You're probably referring to what are known as "Whois Data Reminder Program" emails (WDRP), which is a few years old. Also mandatory to send those out, but can be safely ignored (which is what makes this program so much worse).
So if one wanted to knock over a competitor's business, it would only take to arrange for the owner to be unavailable for a couple of weeks, send this email, wait for the deadline, grab the domain. Profit.
What happens if you become sick or get in an accident and must go to a hospital? Game over?
When I registered a domain with Amazon Gandi sent me the verification email and it went to my spam folder. Luckily, Amazon sent me a follow up email saying my domain would be suspended unless I followed the instructions in the Gandi email.
Now you just have to worry about Gandi shutting down your domain if you host anything that anyone finds morally objectionable, among other ridiculous terms they require you to agree to.
disclaimer: I work on a wal-related project for a TLD
Let's not throw the baby out with the bathwater.
Projects like the WAL actually do help prevent the spread of malicious sites. Some TLD registries go into great length to ensure that the identity of their registrants is valid (address, phone, email).
Valid whois data is a necessity when processing some of these cases (from a legal point of view). I see this in practice every day.
The potential burden for the majority of domain owners (those who don't plan to do anything illegal with their little piece of internet real estate) is undeniably an issue, but projects like WAL have very real merit for the internet as a whole.
Sure there is. Outsource that verification to someone who already needs to do it, like the local government. South Korea has a pretty poor implementation of this already, but things will only get better over time.
Do you honestly think it's feasible to maintain a database of contacts for every country and quasi-political entity in the world?
Secondly, I'm not even sure how you'd reasonably do this in a country like the United States where there's a functioning government if only because there's 50 states plus other territories to deal with. How would you go about verifying that "Walter P. Fluffington" exists and lives at some arbitrary address in Puerto Rico? It seems extremely time-consuming unless you are going to exclude people who have driver's licenses or some kind of government ID issued to them, or are foreign citizens living and working there under a visa of some sort.
This also doesn't even come close to addressing what happens when you register a domain with someone else's name.
The whole thing is completely pointless. If South Korea can't do it, nobody can.
The whole point is you don't verify it. You accept their government-issued identification and verify the validity of that. Currently this is done stupidly by comparing their face to a photograph, but if the demand is there, the process will improve.
Compare to how we verify certificates. Trusted CAs issue certs and we verify the chain of trust.
If you're depending on "government-issued identification" you've already failed.
A) What does that even mean? What's considered valid? There's got to be at last 100 different forms of this in the United States alone. How can anyone be familiar enough with all of these forms to verify them? Then consider there's several hundred countries around the world, each with equally quirky identification systems.
B) So the "face to photograph" method of identification depends on someone supplying a photograph of themselves? Since when is this part of the process for applying for a domain name? Secondly, it's impossible to verify that the photograph is of the applicant. Are we applying for domains at the DMV now? What about people who have identification where their face is concealed, or is a woman no longer allowed to register a domain in places like Saudi Arabia?
C) Why should having government-issued identification be a pre-requisite for owning a domain name? What if you're 10 and want "billyslemonadestand.com", paid by Bitcoin?
This isn't a trust issue. Owning a domain name shouldn't be terribly difficult. This isn't like an EV SSL certificate where a notary is going to be involved. Their entire process is complete bullshit and does nothing to improve the security of anything.
Uh, yeah. We're not talking about their process. We're talking about how to improve it. AKA by making it not bullshit and by requiring real verification.
>Projects like the WAL actually do help prevent the spread of malicious sites.
Outlawing encryption helps catching terrorists. Ruling that the use of Tor is justification for a full search of all of one's electronics helps catch child abusers. Forcing every email to be tied to a real life identity helps stop spam.
There may exist some TLDs which indeed go to "great lengths" to verify contact information. I don't know if it's true, but if it is then that's an effective policy which has absolutely nothing to do with WAL.
No doubt valid WHOIS data is helpful when wanting to know the identity of a domain administrator, but again the point is WAL does absolutely nothing to ensure that in any case where the owner doesn't actually want to be identified.
Clearly you need to provide a working email address to receive the confirmation. Does anyone know the consequences of providing wrong information anywhere else?
Potentially, you can have your registration revoked, but usually the address information isn't checked. If you don't want your information appearing in WHOIS, go with your registrar's WHOIS service, if they provide one. Don't use a third-party 'service', as you'll effectively be in breach of their TOCs (because you've provided inaccurate information to the registrar).
The tl;dr: Respond to an email and confirm your ownership of the domain within 15 days, or your site dies.
I would discourse further on the silliness of this policy, but they stated it best: "You can thank ICANN...because if it were up to us, and you tasked us with coming up with the most idiotic, damaging, phish-friendy, disaster prone policy that accomplishes less than nothing and is utterly pointless, I question whether we would have been able to pull it off at this level. We're simply out of our league here."
Please don't overlook that ICANN is regulatory capture. The idea you need to pay more than 2c/year for an entry in a goddamnn database and you have to pay a designated intermediary to make that request is, well, lucrative for the intermediaries because there's this massive barrier to entry to setting up in competition with the intermediaries.
Does it look the same as "a seat on the exchange" in the financial world - trade on an exchange, you and your counterparty both get skimmed by a "broker" as well as by the exchange.
Anything to make something as simple as putting a tiny entry into a database more of a pain and hassle justifies the ridiculous fees. The worse they do it the better it works for them. Incentive, yeah, let's make sure this screws up and looks like phishing, then they'll reallyneed us and we can claim to be the good guys with utterly ignorant law enforcement who don't understand what they're asking for being the bad guys.
If this cost the intermediaries money rather than being something that will turn out to be lucrative for the industry as a whole, you'd have a very different result.
Now watch the downvotes and screams from the intermediaries and their apologists. Hi, enjoy your money!
> Now watch the downvotes and screams from the intermediaries and their apologists. Hi, enjoy your money!
I downvoted you for this grandstanding, not for the rest of your post (which I agree with, for the most part, I think it's a crock). The "conspiracy behind every hedge" rhetoric stinks, and I wish we wouldn't do it here.
Oh come the hell on. Not a conspiracy or anything like it. Just pure market forces in the presence of a market failure. Regulatory capture is normal and happens all the time. We should just point it out.
Watch the responses, see whether flagging what I think they will be in advance is a useful thing or not.
There's reasons for charging $10 per domain other than the cost of the DB line
One thing I can think of off the top of my head is that it makes domain squatting a bit more expensive. $10 instead of 2c is 500 times less domains for the same amount of money. At the same time, $10/year is a reasonable entry price for "I'm seriously considering using this domain"
Domain names are a scarce resource, it makes sense to charge a good amount of money for them
On that basis, I and I alone should have the monopoly and should give as much to icann as I deem appropriate. It's as good as the current system for your argument.
If you want to make the argument of the necessity of a tax who gets it? Those who were on it early enough to capture the regulator. Interestingly on a philosophical level both republicans and democrats claim to hate regulatory capture.
Republicans would want to open ICANN and it's intermediaries up for competition, democrats would prefer to nationalise the lot, yes I know, that's just the ideology not the behaviour of elected official much of late.
So what is the correct pattern? When you know it's going to happen to predict it to show the idiocy? Or to say post later looking sore?
I think predicting it on the back of a reasonable post when you know what is going to happen despite it's reasonable nature kind of highlights the problem that exists here. I think I have a pretty good sense of when a post is going to get slammed in downvotes rather than responded to sensibly, so testing it with a proper demonstration seems to be the right thing. YMMV. I have tried the other way too by the way.
I didn't bait nor invite, I predicted. And did so correctly. But I don't believe in calling people names like "conspiracy theorist" I think that is intellectually lightweight. I wonder if you do too?
There's a crackdown on scumbags running businesses without disclosing their identity. Great! That's illegal in many jurisdictions, including the entire EU and California. Finally, ICANN is doing its job.
If you put your real name, address, phone number, and email in your domain registration, and keep it updated, there's no problem. I've had real contact info on all my domains for two decades. I get maybe one phone call a year, two or three email spams, and a letter or two.
What person in their right mind would want their real name, and contact information on a public facing database open to be queried by the entire world? The fact that I have to pay extra money to have a company "Hide" my data is ridiculous to start, I'm just shifting my trust from the entire world to a company who will sell my data or use it for their own purposes.
Having your personal information publicly associated with your domain registration is dangerous even if you're not running a controversial domain. There's a scumbag company out there called the "Domain Registry of America" that sends out fraudulent renewal notices to domain holders who have public information in their domain registration.
If you happen to be a not-savvy domain holder, you get a letter that looks like it's for a domain renewal, you fill it out and return it with a check, and that gives DRA the authority to transfer your domain registration.
And getting it back away from them is an unpleasant process at best.
Because there is never ever a reason to run an anonymous business or website. Nope, we should ban things that people can abuse because freedom is secondary to security.
You clearly don't operate a site that is controversial. I don't either, but I have a friend who operates a small forum with ~2000 users, and that's enough for him to be harassed using info from WHOIS. Sure, there are privacy services like WHOIS Guard, but those aren't foolproof (I forget who, but somebody was leaking WHOIS Guard info a while back for years).
I've received death threats for my views on government which resulted in me pulling my website down for fear of my personal safety. It was a small site and I was 14 and didn't want to spend extra on WHOIS protection. My viewpoints on government at the time were rather tame, though libertarian leaning. The viewpoint that bought me the most flack was being in California and supporting gun rights and criticizing the fear-mongered bans on certain firearms.
Free speech? Nah, fuck it. Opening a venue for people to harass and threaten others is more important.
If people have a valid need to contact the admin there is an admin@domain.com they can email that does not give my full name and home address.
Having to pay a company to hide these details is extortion at best. It's like the mafia asking for "protection money". If you don't pay them, they have someone pay you a little visit and convince you it's worth the investment.
I guess it really depends on what kind of site you're running.
For boring, non-interactive sites, I think that's probably fine.
I never put real information into WHOIS data (except for my email) because I have absolutely no desire for people who check to know who I am. I'm not running businesses and I've never made a dime off any of my sites.
I just think of all the community drama I've seen and how much worse it would be if they had my real name, phone number, and address. Not even considering all the other places I post under the same screenname, there's been plenty of nonsense on the forums I've run, and people have been perfectly happy to dox and harass other people whose personal information they could find out over incredibly trivial things.
It would cost the registrars something to do so, obviously, but so does this. And a basic level of privacy should never have been allowed to become a premium service to begin with.