Web sites both big and small face the risk of having their Web addresses stolen because of flaws in the way domain names are registered, transferred and tracked, a report released this week found.
The report, announced Wednesday during an international meeting of the ICANN (Internet Corporation for Assigned Names and Numbers) in Luxembourg, followed at least two high-profile incidents this year of what is known as domain-name hijacking—one hitting New York-based ISP Panix and another affecting e-mail provider Hushmail Communications Corp.
Domain-name hijacking occurs when someone fraudulently takes control of a domain name, often by masquerading as the legitimate administrative contact for a domain name.
The e-mail addresses of administrative contacts, widely available in the WHOIS database of domain registrations, are used to verify domain-name holders.
The domain-name hijacking report, available here as a PDF, came from ICANNs Security and Stability Advisory Committee.
The committee advises the domain-name system overseers board of directors and constituents such as the registrars that sell domain names to individuals and business and the registries that manage domains such as .com and .net.
Committee members expressed optimism that the report will lead to swift action, but it was still unclear as of late Wednesday whether ICANNs board planned to address the reports findings and recommendations at its meeting later this week.
“Our job really was to shine light on problem and the basics of what needs to be done,” said Steve Crocker, the chairman of the advisory committee. “Now we stand back out of the way because were not the ones to implement that.”
ICANN Board Chairman Vint Cerf was among those who attended the committees release of its findings, and he expressed interest in the board acting on the reports findings. Crocker also said that committee members are promoting the reports findings throughout ICANN.
The committees conclusions left no doubt that the consequences of a domain hijack can be stark and widespread.
“The registrant may lose an established identity and be exposed to extortion by name speculators,” the report states. “Domain hijacking can disrupt or severely impact the business and operations of a registrant.”
Along with intercepting or stopping e-mail associated with a stolen domain, an attacker could use a domain hijack in a phishing scheme to disclose sensitive information, in a denial-of-service attack or to deface a Web site, the report found.
Among the causes of cited for hijacks was the failure of registrars to follow procedures for transferring domain names from one registrar to another and insufficient verification of the identity of someone requesting a domain-name change.
The report left ICANNs recently changed policy for the transfer of domain names without blame in domain hijacking, although others in the domain-name industry have raised concerns that the change will fuel more stolen domain names. The new policy had focused on streamlining the process of transferring a domain.
Also contributing to the domain-name hijacking cases outlined in the report was the relationship between official ICANN registrars and their resellers.
Committee member Ram Mohan said that about 40 percent of domain-name registrations occur through resellers, and, right now, the burden lies with registrars to ensure that their resellers follow ICANN procedures.
“The fact is that there are 150 active [ICANN] registrars with contracts and real responsibilities, and by our count some 20,000 to 25,000 resellers, and thats only an estimate,” said Mohan, vice president and chief technology officer for Afilias Ltd., the registry for the .info domain.
“These resellers are invisible to ICANN and registries.”
The ICANN committee recommended 10 fixes for hijacking, which ranged from more public awareness and a domain-name emergency hotline to potentially stricter verification of the identity of domain-name holders and better record keeping of registrations.
One technical recommendation focused on the use of registrar locks and domain-name holder passwords. The report suggests that registrars use locks, which prevent a domain-name change until the name holder unlocks the name, and consider using a specification called “authInfo,” which essentially password protects a domain name.
Currently, the authInfo password is not available for .com or .net, both of which are managed by VeriSign Inc. But VeriSign has said it plans to add the support, according to the report. Other domains, such as .org, .biz and .info, use the passwords.
“This is a train that is just waiting to get off the tracks, and the tracks are already loose,” Mohan said. “Were asking for serious action to be taken to quickly remedy the problem.”
While the Panix and Hushmail cases were widely reported, the ICANN committee report also cited a dozen other examples of stolen domain names. The hijacks hit such high-profile names as wifi.com, commericials.com, nike.com and ebay.de.
However, the committee did estimate the total number of domain-name hijackings that have occurred. Determining that number is difficult since domain-name holders and registrars are reluctant to disclose cases and are not required to do so, Mohan said.