Visualizing the Security Benefits of the Losing FOA for Domain Name Transfers

I’ve written extensively about the security implications of the “Losing FOA” step of domain name transfers. It’s the opportunity for registrants to “ACK” or “NACK” a pending transfer, before it completes. I wrote about this again yesterday,  and that post linked to all prior writings.

I wanted to give readers direct visual evidence of why the Losing FOA is so important as a security mechanism, so I intiated a transfer of a domain name from my company’s portfolio at Tucows/OpenSRS to GoDaddy. After I input the transfer code (currently called the “AuthInfo Code”, but it will be renamed the “Transfer Authorization Code” or “TAC”) at GoDaddy, Tucows/OpenSRS sent me (as registrant) an email, with a link to a page that would allow me to immediately approve the transfer (i.e. “ACK” it), or to reject the transfer (“NAK” it). Here’s a screenshot:

Example of OpenSRS Losing FOA page, allowing registrants to accept or reject an outgoing transfer request
Example of OpenSRS Losing FOA page, allowing registrants to accept or reject an outgoing transfer request

As you can clearly see, the page contains text saying:

The domain name listed above will be transferred to:

New Registrar
GoDaddy.com, Inc.

and gives me the opportunity to accept the transfer, or decline it (I’ve just left things in a pending state for now; I’ll perhaps “ACK” the transfer in a few days).

Had the transfer code been compromised, with an attacker using it at a different registrar, I’d have been able to immediately detect the unauthorized transfer request and stop it before it completed, as I’d be able to see that it wasn’t transferring to GoDaddy.

In conclusion, this is an important security mechanism, given that there is otherwise no protection for misuse of the transfer code once it’s generated. Without this important safety mechanism, the registrant is “on their own”.

[P.S. In case you were wondering about the domain I used for the test transfer, “Big Swinging Dick” is a Wall Street term mentioned in the book “Liar’s Poker” — “If he could make millions of dollars come out of those phones, he became that most revered of all species: a Big Swinging Dick.” And of course, I own the dot-com (through my company).

P.P.S. What if an attacker had used a compromised transfer code at GoDaddy before I did, and I mistakenly approved an incorrect transfer into their account, rather that my own account at GoDaddy? That’s a vulnerability that I’ve advocated be addressed, by showing the full WHOIS “before” and “after” the proposed transfer (while it’s still in a pending state, to allow the current registrant full transparency of how the WHOIS would change, should they accept the transfer). See section G (pp. 23-25) of my full submission to ICANN. Although, even under the status quo, at least the domain name would be at a “friendly” registrar (i.e. a legal jurisdiction that I had specifically wanted to transfer the domain), where presumably the force of law could be used to correct things.]

Response to ICANN Working Group Regarding Domain Name Transfer Issues

In August, I submitted extensive comments on behalf of my company to ICANN regarding proposed changes to domain name transfer policy.

I’d written multiple blog posts before then, warning about the negative ramifications should their recommendations be adopted. See herehereherehere and here for those past articles on the topic.

In September, I participated (as a member of the public, not as a member of the working group) in the public ICANN75 session on the topic (I wrote another blog post immediately before that session.). After that session, one of the ICANN working group members posted some thoughts on my proposals.

As I’ve yet to be invited to participate directly in that working group (which might correct the severe unbalanced and unrepresentative participation, where registrants’ views are not being taken seriously), I’ve written a public response to that email. You can read that response here (while it’s 20 pages long, it’s very generously spaced, so it shouldn’t take long to read and digest).

There is a lot wrong with this working group’s report and ongoing deliberations. The public deserves more than mere lip service during an ICANN75 meeting. We deserve active engagement throughout the remainder of the working group’s efforts, especially given the unbalanced participation at present.

ICANN75 Session of the Transfer Policy Working Group is Friday at 10:30PM Eastern Time

The ICANN75 session of the ICANN Transfer Policy Review PDP Working Group will be taking place in less than 12 hours from this blog post, at 10:30 PM Eastern Time on Friday, September 16, 2022. [10:30 MYT (UTC+8), 17 September 2022]

Remote participation is available via Zoom (you’ll need to create an ICANN account to access the links to the Zoom room, as per the above session link).

As I’ve noted in my lengthy comment submission, there are very serious problems with the working group’s recommendations.

Furthermore, that working group’s review of the public comments is superficial at best. As an example, watch the Zoom recording of this past Tuesday’s working group call. (unfortunately, the written transcript of the call isn’t posted yet on the GNSO’s calendar page).

Did the working group even mention, in discussions of removal of the Losing FOA, my citing of the SSAC report, from page 39 of my comment submission, to:

“Treat transfer attempts as a security event (check and re-check).”

Nope! Apparently such an important point was not worth mentioning on their call! It demonstrates the importance of the Losing FOA.

There’s a certain arrogance in the working group, as if they know better than the public. e.g. Jim Galvin of Afilias (a member of the SSAC) claimed he was “not especially persuaded by most of these comments” and that he didn’t believe “that there’s new information here” (see the “rough transcript” produced by Zoom at around 44:22 into the call, or listen to the actual call; the rough transcript isn’t perfect).

Galvin claimed that he “could sit here and go through, and I think I would have a specific response to each one of these comments” (at around 44:53 into the call). I openly challenge him to do so!

I even reached out to him, to have a telephone call, to go through my concerns to see what his “response” would be. I’ve not heard back, yet.

At 1 hour and 10 minutes into the call, Galvin asserts that “there really is no diference between the FOA and the notification.” He then goes on to claim “the notification has the same properties. It neither adds nor removes them.”

This is demonstrably false!

If I validly create a TAC (transfer authorization code), to transfer a valuable domain name from Tucows to GoDaddy (as an example), and provide that TAC to a buyer or to an escrow company, but then see (via the Losing FOA) that the transfer is actually going to Alibaba or a Russian registrar, I’d be able to NACK (cancel) the transfer, as it’s not going to the correct destination.

That involved no compromise of the registrar’s control panel, but involved misuse of the TAC after it was properly generated, but before it was properly used at the correct gaining registrar).

This is a perfect demonstration that their analysis is completely wrong. The removal of the Losing FOA would have demonstrably made one worse off.

Galvin claims that “all bets are off” if an attacker gains access to a registrar’s control panel (because the attacker can change registrant contact details, so the registrant wouldn’t be able to receive the Losing FOA). Again, his analysis is wrong. Perhaps at a poorly-designed registrar, his analysis might be fine. But, a properly-designed security-conscious registrar wouldn’t immediately make those critical changes. They would seek verification first! I documented in my lengthy submission that I carefully separate out the registrar control panel details and contacts, so that they’re independent of the domain name contacts.

Later on that call, at around 1 hour and 14 minutes, Jim Galvin demonstrates to us all that he didn’t actually do his homework and understand the working group’s report, as he was unaware that the 5 day window after the gaining registrar submits the transfer was being eliminated. How embarrassing for him, and embarrassing for SSAC. He says “maybe I’m missing something  here” — yes, Galvin and others are missing a lot!

In conclusion, it’s clear that these working group members are not doing a proper review of the public comments. They have tunnel vision, and are working from the starting point that they “know better” than the public who submitted serious concerns about their dangerous proposals. If you share these concerns and have time on Friday night (North American time) to attend the ICANN75 session remotely, please do so.

 

Stanley Pace wins Reverse Domain Name Hijacking Decision in Court, Overturning UDRP

Stanley Pace has won a reverse domain name hijacking victory in court, overturning a wrongly-decided UDRP decision at WIPO in the celluvation.com dispute.

You can read the entire court decision here.

In summary:

The Court herby DECLARES and ORDERS:

1. Pace’s use of the celluvation.com domain does not violate the ACPA.
2. Pace’s use of the celluvation.com domain does not violate the Lanham Act.
3. Pace has established a claim for reverse domain name hijacking.
4. Defendant’s counterclaims against Plaintiff are DISMISSED WITH PREJUDICE for willful and inexcusable failure to prosecute and failure to comply with court orders pursuant to Fed. R. Civ. P. 41(b).
5. Pace’s request for fees is DENIED.
6. The WIPO arbitration panel decision is OVERTURNED, and the domain name
registrar for celluvation.com is ORDERED to lift the hold on the domain name and return the domain to Pace.
7. Judgment shall be entered in favor of Plaintiff

Will WIPO add this decision to its list of UDRP-related court cases? You might recall that WIPO retaliated against my company and removed the PUPA.com court case decision from their list (after I voted against Brian Beckham as co-chair of the RPM PDP working group at ICANN).

Arizona court orders that ETH.LINK domain name be transferred back to True Names

An Arizona court has ordered that the ETH.LINK domain name be transferred back to True Names. You can read the entire order here.

This was first reported on Hacker News last night, but none of the usual suspects blogged about it yet. Given I’m “on strike” for reporting on SEC Filings findings for the rest of the year, due to too many parasitic bloggers, I figured I’d write about something different. Let’s see how many parasitic bloggers write about this without citing the original Hacker News post or this blog post…especially those who don’t typically blog on the weekends….

Obviously change of ownership and domain transfers in general are matters of critical importance, yet how many people reading this bothered to submit comments to ICANN during their recent comment period? You can read my company’s 60 page submission in a prior blog post. If you were upset about how the registrars handled the ETH.LINK expiration and transfer to a 3rd party, perhaps you should pay more attention to the policies which enable that behaviour. When a registrar can earn more from the expiry of a domain name, rather than its renewal, that creates an enormous conflict of interest. The interests of registrants are routinely ignored at ICANN, because of your apathy.

Meditations on Domain Name Transfers: Final Call for Comments To ICANN

Today I submitted comments on behalf of my company (Leap of Faith Financial Services Inc.) to ICANN regarding proposed changes to domain name transfer policy. You can read those comments in this PDF, or at ICANN’s public comment forum along with those of others such as the Internet Commerce Association. If you’d like to submit your own comments, the deadline is Tuesday August 16, 2022 at 23:59 UTC.

I’ve written multiple blog posts in the past few weeks, warning about the negative ramifications should their recommendations be adopted. See here, here, here, here and here for those past articles on the topic.

The comment submission reiterates and expands on those past articles. I also took a deep dive into each of the recommendations. It was a considerable effort (at least 40 hours, if not more) in a compressed time frame. It was truly stressful given the deadline would not be extended to mid-September (or beyond) as requested, to be a more reasonable schedule for the amount of work involved. As I note on page 5 of the submission, I could have used more time to reorganize, restructure and condense the material (which amounts to 60 pages!). Consider this a “draft” that wasn’t intended for publication, but is as good as it’s going to get in the time that was provided.

As I note in the conclusion, the most important section is Section E (generate a transaction ID at the gaining registrar, to input at the losing registrar; this way, we can eliminate the TAC). Also, retaining the “Losing FOA” (Section F), at least on an opt-in basis, to preserve the ability to ACK/NACK a pending transfer is critical. Those are the two big counterproposals, although lots of other stuff was important and needed to be said.

The unbalanced nature of the working group composition (registrars dominating) should concern everyone, as registrants’ interests are not being protected.

XPRIZE-style Competition To Improve Domain Name Transfer Security

I’ve written extensively in the past couple of weeks regarding the ICANN transfer policy review’s initial report.   You can read these past articles here, here, here and here. There has also been discussion at the NamePros forum. ICANN has been obstinate in their refusal to extend the comments deadline to mid-September (or beyond) as requested (comments are due August 16, 2022, less than a week from now). [Please do keep trying to get it extended, though! Many folks I’ve talked to are only now beginning to understand the negative ramifications of the report, and need more time to compose a thoughtful response.]

Domain name security, including security of the transfer process, is important enough that it calls for fresh ideas. I propose that ICANN issue a widely publicized and open “Call For Papers” or a competition of some sort, like the “XPRIZE” but for domain name transfer and security procedures. This would encourage academics, security researchers, security practitioners, “white hats” and others to take a deeper dive into the domain name transfer system. They would be encouraged and invited to come up with new ideas that would improve security of hundreds of millions of domain names, which are at the foundation of the multi-trillion dollar online economy.

ICANN agreed to receive a controversial $20 million from Verisign upon renewal of the dot-com contract. It was intended to improve security.

I suggest that a portion of it, perhaps $250,000 to $500,000, be used to fund the total prizes and/or honoraria for an XPRIZE-style competition or call for papers. This is a small fraction of the $20 million.

Such funding would provide an economic incentive to draw new ideas and new eyeballs into the ICANN ecosystem, particularly from academia, rather than from “the usual suspects” who’ve dominated ICANN for the past 2 decades. Transfer security, and overall domain name security, is too important an issue to leave to those ‘usual suspects’.

[To make it clear that I personally would not financially benefit from such a competition, folks should be able to have any prizes/honoraria be directed to charities, rather than to themselves, as I would do to eliminate any conflicts of interest that might be seen from making this proposal.]

Making Domain Name Transfers More Secure

As previously discussed, there’s an initial report published by an ICANN working group that is making various recommendations regarding domain name transfers. One of the recommendations would eliminate the important “NACK” safeguard, which allows a registrant the ability to reject an unauthorized transfer attempt. My first blog post discussed why that’s a bad idea. A newer blog post highlighted the fact that the “AuthInfo Code” (to be renamed the “TAC” — Transfer Authorization Code) is the key to the kingdom” and thus its security is paramount. I compared it to the lack of security of a “bearer bond” (vs. a wire transfer).

Can we do better? I’ve come up with two different ideas.

Continue reading “Making Domain Name Transfers More Secure”

Connect.com domain name acquired by Hubspot for $10 million

[NB: As I’ve noted on Twitter,

I don’t appreciate folks who are not citing my work. So, I’m “on strike”. That being said, I’ll make an exception for an eight-figure domain name transaction.]

Hubspot disclosed in a SEC filing (see p. 20) that they acquired the Connect.com domain name for USD $10 million:

In the three months ended June 30, 2022, the Company purchased the rights to the domain name “connect.com” for $10.0 million.

I’d write a longer analysis, but as I said, I’m on strike. People should appreciate that very few are actually doing original research. If you use their hard work , then you should cite and link to it, rather than just taking the results of that research to generate page views, attention, or advertising revenue (remember, this site has no ads). Don’t be a parasite or a ‘taker’. Be a giver.

There’s an important ICANN comment period about transfers policy, where I’ve asked for a deadline of mid-September in order to complete my own comments in a thorough manner. Ensuring domain names aren’t stolen should be everyone’s priority, but that working group would lower security by eliminating an important safeguard (namely the ability to “NACK” a transfer before it has completed). The Internet Commerce Association submitted a comment a couple of days ago,  echoing some of the concerns I expressed on my blog. But, my concerns and comments go far deeper, and I need the time to write them all up.

If you appreciate this work, why don’t you take a moment and contact them to reiterate the need for a mid-September deadline? (see their contact info in my previous blog post here)

Update: Elliot Silver reported on the change of ownership of of the domain name in an April blog post (although, at the time the price was not known). DomainGang also recently reported on a matching TM filing. (these articles didn’t impact my research, but are worth mentioning regardless)