[PC-NCSG] DRAFT: Referral to SSAC on WHOIS impacts on domain security and stability

Thu Jun 28 10:50:15 EEST 2012

Here's a proposed referral to SSAC requesting an analysis of security
problems in WHOIS validation and data reminders.  I raised the question
informally with Patrik and a few other members of SSAC.

Let me know if you have thoughts or questions.
--Wendy

Dear Patrik:

On behalf of the Non-Commercial Stakeholder Group, representing
non-commercial Internet registrants and users in the GNSO, I write with
some security questions about recent WHOIS proposals in the WHOIS Review
Team Final Report and Recommendations and the draft Registrar
Accreditation Agreement. Specifically, I am concerned that email or
phone validation, whether pre- or post-resolution of a domain name,
introduces new risks to the stability of that name. As SSAC is charged
with advising the ICANN Community and Board on "matters relating to the
security and integrity of the Internet's naming and address allocation
systems," [0] I believe its analysis would be valuable here. (I
acknowledge that most of the concerns relate to the security and
stability of individual domain names, but as they stem from a systemic
weakness in the proposed domain registration system.)

For example, if validation by returning an email were required before a
newly-registered domain name is permitted to resolve, as requested by
Law Enforcement [1], the potential registrant must find an alternate
provider of secure email by which to receive the validation, or risk
losing the name because he cannot do so.

At any point when such validation is required -- annually, upon
registration or renewal, or in response to a third-party complaint of
"inaccuracy" -- that could provide an opportunity for an attacker to
target a man-in-the-middle or phishing attack on the user's server or
client, or a denial of service at the user's mailserver (known, from the
email published in WHOIS). If a name is to be put on hold or suspended
because of a registrant's failure to respond, these attacks provide a
way to destabilize registrant's control of the domain and any further
systems that depend upon it.

Second, these communications train users in poor security practices. I
note that current WHOIS reminder reports (WDPRS) are rarely, if ever,
signed, so users are not currently primed or able to verify the
authenticity of these communications. Encouraging them to provide
sensitive personal and/or systems information in response to such emails
harms them.

Similar concerns apply to the "accuracy" recommendations of the WHOIS
Review Team report [2]. I believe that a full threat analysis would be
valuable and likely to identify additional risks to domain registrants
and the registration system.

Please feel free to get in touch if I can provide further information.
We would be happy to work with you to refine the questions and analysis.

--Wendy

[0] http://www.icann.org/en/groups/ssac/charter
[1]
https://community.icann.org/download/attachments/30344497/LE_Rec_Validation2012+%282%29.pdf
[2]
http://www.icann.org/en/about/aoc-review/whois/final-report-11may12-en.pdf