[PC-NCSG] DRAFT: Referral to SSAC on WHOIS impacts on domain security and stability

Thu Jun 28 11:07:30 EEST 2012

Good statement
I recommend NCSG endorsement of this statement.

avri

Wendy Seltzer <wendy at seltzer.com> wrote:

>Here's a proposed referral to SSAC requesting an analysis of security
>problems in WHOIS validation and data reminders.  I raised the question
>informally with Patrik and a few other members of SSAC.
>
>Let me know if you have thoughts or questions.
>--Wendy
>
>Dear Patrik:
>
>On behalf of the Non-Commercial Stakeholder Group, representing
>non-commercial Internet registrants and users in the GNSO, I write with
>some security questions about recent WHOIS proposals in the WHOIS
>Review
>Team Final Report and Recommendations and the draft Registrar
>Accreditation Agreement. Specifically, I am concerned that email or
>phone validation, whether pre- or post-resolution of a domain name,
>introduces new risks to the stability of that name. As SSAC is charged
>with advising the ICANN Community and Board on "matters relating to the
>security and integrity of the Internet's naming and address allocation
>systems," [0] I believe its analysis would be valuable here. (I
>acknowledge that most of the concerns relate to the security and
>stability of individual domain names, but as they stem from a systemic
>weakness in the proposed domain registration system.)
>
>For example, if validation by returning an email were required before a
>newly-registered domain name is permitted to resolve, as requested by
>Law Enforcement [1], the potential registrant must find an alternate
>provider of secure email by which to receive the validation, or risk
>losing the name because he cannot do so.
>
>At any point when such validation is required -- annually, upon
>registration or renewal, or in response to a third-party complaint of
>"inaccuracy" -- that could provide an opportunity for an attacker to
>target a man-in-the-middle or phishing attack on the user's server or
>client, or a denial of service at the user's mailserver (known, from
>the
>email published in WHOIS). If a name is to be put on hold or suspended
>because of a registrant's failure to respond, these attacks provide a
>way to destabilize registrant's control of the domain and any further
>systems that depend upon it.
>
>Second, these communications train users in poor security practices. I
>note that current WHOIS reminder reports (WDPRS) are rarely, if ever,
>signed, so users are not currently primed or able to verify the
>authenticity of these communications. Encouraging them to provide
>sensitive personal and/or systems information in response to such
>emails
>harms them.
>
>Similar concerns apply to the "accuracy" recommendations of the WHOIS
>Review Team report [2]. I believe that a full threat analysis would be
>valuable and likely to identify additional risks to domain registrants
>and the registration system.
>
>Please feel free to get in touch if I can provide further information.
>We would be happy to work with you to refine the questions and
>analysis.
>
>--Wendy
>
>[0] http://www.icann.org/en/groups/ssac/charter
>[1]
>https://community.icann.org/download/attachments/30344497/LE_Rec_Validation2012+%282%29.pdf
>[2]
>http://www.icann.org/en/about/aoc-review/whois/final-report-11may12-en.pdf
>
>_______________________________________________
>PC-NCSG mailing list
>PC-NCSG at ipjustice.org
>http://mailman.ipjustice.org/listinfo/pc-ncsg