Page 2

By Larry Seltzer  |  Posted 2004-11-28 Print this article Print

But owner information often is incorrect—because the owner wanted it that way. The WHOIS database is one of the great farms from which spammers harvest e-mail addresses, so many domain owners intentionally put in false contact information. Even the other contact information is often false out of privacy concerns. This information is usually separate from the registrars billing database; while false information in the contact records usually violates registrar policy, as long as they get paid they usually look the other way. And its not illegal to put false contact information in a WHOIS record, although there has been some talk in Congress of making it so.

The real answer seems to be domain locking, which it now appears all registrars support. Locking puts a "Status: REGISTRAR-LOCK" in your WHOIS record and prevents a default transfer of the type just instated by ICANN. GoDaddy, for example, has put a notice up warning all customers that they better lock their domains if they want to be sure of protecting them.

I havent seen a single definition, but it appears that "REGISTRAR-LOCK" doesnt just prevent unauthorized transfers, but any other change in the domain record too. The only way to make a change is to log in to the master account and use the registrars interface. If this is universally the case, its the solution to the problem. Its just up to you to secure your master account information.

Taking ICANN at its word—that there was a problem with expediting legitimate transfer requests—I can see the reasonableness of the new policies. It does make competition more practical by denying registrars the ability to stall. What we need now are policies and technologies that make contact records more secure and eliminate all this ridiculous false information.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. But beyond locking, I like the approach as that used by Domains By Proxy. Instead of your contact information referring to you, it refers to Domains By Proxy. You can tell them to forward contact requests on to you, or not. They only work with a small number of registrars? Why shouldnt all registrars offer this? In fact, why shouldnt it be part of the standard?

Come to think of it, isnt the whole idea that domain contact information needs to be public kind of quaint and antiquated? If you want to make your domain contact information public, put up a Web server and write a page for it. This looks like a job for ICANN.

In the end, if there are many attempts to steal domains and users have to utilize the (4,449 word) Dispute Resolution Policy to resolve them, its still a failure even if it works every time. The system needs to protect domain owners from having to engage in the process too. I havent yet seen where ICANN has helped this.

Check out eWEEK.coms for the latest security news, reviews and analysis.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel