[PC-NCSG] DRAFT: Referral to SSAC on WHOIS impacts on domainsecurity and stability
Wendy Seltzer
wendy
Thu Jun 28 14:14:23 EEST 2012
Thanks Mary and Avri,
It would be great to send from NCSG and invite the SSAC to engage in
dialogue with us to understand and define the problem.
--Wendy
On 06/28/2012 09:34 AM, Mary.Wong at law.unh.edu wrote:
> I agree. If Wendy is amenable and the PC agrees, we can even send it as a formal NCSG request. Either way, I support it.
>
> Thanks, Wendy.
>
> Cheers
> Mary
>
> Sent from a mobile device; please excuse brevity and any grammatical or typographical errors.
>
> "Avri Doria <avri at acm.org>" <avri at acm.org> wrote:
>
>
> Good statement
> I recommend NCSG endorsement of this statement.
>
> avri
>
>
> Wendy Seltzer <wendy at seltzer.com> wrote:
>
>> Here's a proposed referral to SSAC requesting an analysis of security
>> problems in WHOIS validation and data reminders. I raised the question
>> informally with Patrik and a few other members of SSAC.
>>
>> Let me know if you have thoughts or questions.
>> --Wendy
>>
>> Dear Patrik:
>>
>> On behalf of the Non-Commercial Stakeholder Group, representing
>> non-commercial Internet registrants and users in the GNSO, I write with
>> some security questions about recent WHOIS proposals in the WHOIS
>> Review
>> Team Final Report and Recommendations and the draft Registrar
>> Accreditation Agreement. Specifically, I am concerned that email or
>> phone validation, whether pre- or post-resolution of a domain name,
>> introduces new risks to the stability of that name. As SSAC is charged
>> with advising the ICANN Community and Board on "matters relating to the
>> security and integrity of the Internet's naming and address allocation
>> systems," [0] I believe its analysis would be valuable here. (I
>> acknowledge that most of the concerns relate to the security and
>> stability of individual domain names, but as they stem from a systemic
>> weakness in the proposed domain registration system.)
>>
>> For example, if validation by returning an email were required before a
>> newly-registered domain name is permitted to resolve, as requested by
>> Law Enforcement [1], the potential registrant must find an alternate
>> provider of secure email by which to receive the validation, or risk
>> losing the name because he cannot do so.
>>
>> At any point when such validation is required -- annually, upon
>> registration or renewal, or in response to a third-party complaint of
>> "inaccuracy" -- that could provide an opportunity for an attacker to
>> target a man-in-the-middle or phishing attack on the user's server or
>> client, or a denial of service at the user's mailserver (known, from
>> the
>> email published in WHOIS). If a name is to be put on hold or suspended
>> because of a registrant's failure to respond, these attacks provide a
>> way to destabilize registrant's control of the domain and any further
>> systems that depend upon it.
>>
>> Second, these communications train users in poor security practices. I
>> note that current WHOIS reminder reports (WDPRS) are rarely, if ever,
>> signed, so users are not currently primed or able to verify the
>> authenticity of these communications. Encouraging them to provide
>> sensitive personal and/or systems information in response to such
>> emails
>> harms them.
>>
>> Similar concerns apply to the "accuracy" recommendations of the WHOIS
>> Review Team report [2]. I believe that a full threat analysis would be
>> valuable and likely to identify additional risks to domain registrants
>> and the registration system.
>>
>> Please feel free to get in touch if I can provide further information.
>> We would be happy to work with you to refine the questions and
>> analysis.
>>
>> --Wendy
>>
>> [0] http://www.icann.org/en/groups/ssac/charter
>> [1]
>> https://community.icann.org/download/attachments/30344497/LE_Rec_Validation2012+%282%29.pdf
>> [2]
>> http://www.icann.org/en/about/aoc-review/whois/final-report-11may12-en.pdf
>>
>> _______________________________________________
>> PC-NCSG mailing list
>> PC-NCSG at ipjustice.org
>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>
>
> _______________________________________________
> PC-NCSG mailing list
> PC-NCSG at ipjustice.org
> http://mailman.ipjustice.org/listinfo/pc-ncsg
>
--
Wendy Seltzer -- wendy at seltzer.org +1 617.863.0613
Fellow, Yale Law School Information Society Project
Fellow, Berkman Center for Internet & Society at Harvard University
http://wendy.seltzer.org/
https://www.chillingeffects.org/
https://www.torproject.org/
http://www.freedom-to-tinker.com/
More information about the NCSG-PC
mailing list