MENU
  • Enom.com
  • Resellers

Enom Blog

  • Highlights from ICANN66 Montreal

    November 25, 2019

    GDPR, Industry Insight, News

     Like

    Views: 1811

    Montreal in November is not as bad as it sounds; the weather is crisp and clear, the snow isn’t too deep yet, and it doesn’t get dark until a reasonable time in the evening. It’s still not my top choice for a travel destination at this time of year, but the ICANN conference definitely made it all worthwhile. For those who couldn’t make it out to Montreal, here are the highlights.

    How best to handle DNS abuse

    While changes necessitated by the GDPR were a hot topic at ICANN66, we were pleased to see a lot of discussion about DNS Abuse and how best to address it. Front and centre in these conversations was the “Framework to Address Abuse”, a document signed by Tucows and other major registrars and registries hoping to standardize our industry’s approach to DNS Abuse. In that Framework, Tucows and our co-signatories proposed a definition of DNS Abuse that we believe is correct and appropriately limited, while also describing a set of non-DNS Abuse categories on which we would, nonetheless, take action. The plenary session on DNS Abuse was the most well-attended session at any ICANN meeting so far.

    It’s impossible to summarize such a broad topic and intense discussion (you can, however, watch the whole thing online!), but here are the key takeaways:

    • DNS Abuse is a topic that the community is working to address
    • There’s concern around who should respond to Abuse and how to do so in a proportional manner
    • There are already tools in place that ICANN Compliance could use to help in this effort

    We’re committed to working within our space to address Abuse, and we look forward to collaborating with other groups in the domain name industry as this work continues.

     

    You guessed it… the GDPR

    The impact of the GDPR and other data privacy regulations on the Domain Name System remained a primary focus for ICANN66. Both the Expedited Policy Development Process (EPDP) team (the group that works to determine what the permanent replacement to ICANN’s Temp Spec must include and address) and the Implementation Review Team (the group responsible for transforming the EPDP’s Phase 1 recommendations into Consensus Policy) made good use of the opportunity for face-to-face meetings.

     

    Work from the EPDP team

    The EPDP team is in Phase 2 of their work, developing a System for Standardized Access and Disclosure (SSAD) by which third-parties can obtain non-public gTLD registration data. It’s a large project, and the work is divided up into a series of “building blocks,” each examining different aspects of this system, such as accreditation (for third-parties in search of data), data retention requirements, and auditing.

    We think this is a useful approach, but some core questions remain unanswered, including the fundamental one: who is the entity making the disclosure decision? 

    When a third-party requests access to registration data, will that be relayed to the relevant registrar or registry operator, or will the SSAD operator make that determination? Could a standalone SSAD operator have all the relevant information needed to appropriately decide if the request should be fulfilled or denied? Could a registrar or registry operator provide data to be disclosed via the SSAD while remaining compliant with data protection laws? As the building blocks get finalized these underlying open issues are brought to the forefront, and we’re getting closer to the point where the EPDP can’t continue its work without these answers.

    To that end, ICANN has set up a “Strawberry Team,” a group of ICANN staff working in parallel to the EPDP team. Just before ICANN66, they sent a proposed model for registration data disclosure to the European Data Protection Board, asking for feedback.

    There’s a general sense of frustration among EPDP members around the lack of communication about this; the team had asked ICANN to share any proposals or models with them before sending it out to groups like the Data Protection Board, and that didn’t happen here. There’s also concern that this work should be happening within the multistakeholder model rather than alongside it.

    Ultimately, if the European Data Protection Board (EDPB) provides advice, that can only be a good thing. However, as we wrote following ICANN64 in Kobe, it’s important to remember that any statement by the EDPB that the model is acceptable could easily be retracted in the future; it’s not a guarantee of legality. Instead, decisions around how to update ICANN contracts and Consensus Policies should be made by the ICANN Community, who are able to take relevant local laws and regulations into account while considering the policies our industry needs.

     

    Work from the Implementation Review Team

    Alongside the EPDP’s Phase 2 work, the Implementation Review Team (IRT) is in the midst of transforming the EPDP’s Phase 1 Recommendations into a “gTLD Registration Data Policy.” Once complete, this gTLD Registration Data Policy will replace the Temp Spec and permanently modify ICANN’s Registrar Accreditation Agreement (as well as other ICANN policies) to bring them into compliance with the GDPR and other data protection laws.

    This new policy will cover:

    • data collection
    • transfer of data from registrar to registry
    • transfer of data to data escrow provider
    • publication of registration data
    • logging
    • data retention requirements

    This gTLD Registration Data Policy will also include a section on “Reasonable Requests for Lawful Disclosure of Non-Public Registration Data.” You may be wondering how this ties into the EPDP team’s Phase 2 work developing a System for Standardized Access and Disclosure (SSAD): would they not go hand in hand? The difference is that the IRT’s Policy will govern how requests for data are handled when made directly to individual registrars or registry operators, while the SSAD is intended to be a standalone unified system with a single point of contact and operator.

    There is not yet an expected date for when the new gTLD Registration Data Policy will become effective, but we will keep you posted as things develop.

     

    Tucows’ involvement in the ICANN Community

    The Tucows team also presented on panels and attended sessions on a variety of other topics. We discussed expectations for RDAP, the successor to the Whois protocol, based on outcomes of the EPDP and IRT; we worked with the joint registrar and registry “TechOps” team on a set of topics, including best practices for transfer authorization codes.

    ICANN meetings are a unique combination of exhausting and exhilarating. Participants from all around the world come together to work on specific topics, with hundreds of sessions to choose from, and the public forums are always fascinating. We continue to work hard to make sure that the concerns of our customers and their registrants are represented at this important venue.

    Read More

  • Tiered Access Data Disclosure Update

    October 30, 2019

    GDPR, Industry Insight

     Like

    Views: 1228

    keys on surface.

    It has been more than a year since Tucows, Enom’s parent company, launched our Tiered Access Compliance & Operations portal, sometimes called “Gated Whois,” and it’s been around six months since we shared our first set of statistics on how and by whom this platform is being used. Today’s update brings our statistics current through mid-October 2019. We hope that this data will provide insight into how we handle requests for non-public personal data.

    It’s important to remember that these statistics represent disclosure requests by a third party asking for personal data which is not publicly available. Each request is examined by a member of our legal team, who reviews the request and decides what data, if any, should be disclosed based on applicable law and our ICANN obligations. This review can be intensive and time-consuming but is essential to processing the data we’re entrusted with in accordance with our commitment to the protection of personal data.

     

    Data disclosure requests

    We received 467 requests for data in the period from February to mid-October 2019 and 2617 requests total to date.

    • 36% of requests received in this period resulted in registration data being disclosed to the requestor
    • 45% were incomplete and the requestor did not respond to our followup for further information, so no data were disclosed
    • 10% were denied, following a determination that the requestor did not have an adequate lawful basis
    • 9% of requests resulted in “disclosure” of Whois Privacy information—that is, the same information already publicly available to a requestor

     

    Disclosure request outcomes – Period 2

    We are pleased to note that we did not find significant spikes in requests during this reporting period, unlike our previous report where request volumes increased around ICANN meetings, suggesting that some portion of those requests were submitted in order to skew the data towards an argument that disclosure requests are not being processed in a timely or appropriate manner.

    Here’s an illustration of the volume requests over time since we’ve launched Tiered Access:

    Compared against our last report

    Perhaps more interesting than the overall numbers is how the current reporting period compares to the previous one: comparing request and response statistics as users become more accustomed to the new system and have learned how to effectively request data; the comparisons below are percentages.

     

    Disclosure request outcomes compared

    • Increase in disclosure of non-public data from 25% to 35% and decrease in incomplete requests from 69% to 45%
      These changes are likely a result of our efforts to work with high-volume requestors to improve the quality of their requests
    • Increase in denied requests from just under 5% to just over 11%
      We attribute this to small-volume and single requestors who recently discovered our Tiered Access portal and do not yet understand how to submit a request that allows us to adequately evaluate their legitimate rights against the privacy rights of the registrant. We will work to better describe the request process at the point of access.
    • Increase in requests for data where the domain has Whois Privacy enabled from 3% to 9%
      When a domain uses one of our Whois Privacy services, we instruct requestors to submit legal process before disclosing the underlying personal data. We also, however, provide the privacy data, as the email address can be used to contact the registrant directly.

     

    Duplicate requests


    We continue to see a significant rate of duplicate requests. These include requests from the same source and from multiple requestors, each purporting to represent the same interests.  When we receive a second request from the same requestor, we refer them to our prior correspondence—whether that included a request for more information (most often the case) or disclosed personal data. When we receive a request for the same domain’s data from a different party, we encourage the two parties to work together to determine which one represents the legitimate purposes for the data disclosure. We do this whether the data were previously disclosed or not.

    As before, a statistically-significant amount of all requests come from the same single requestor mentioned in our previous report; this is the largest individual requestor using our Tiered Access system. However, their requests have dropped by half—last time we shared stats, this requestor represented nearly 65% of all requests, while for period 2 they make up 30% of all disclosure requests submitted to our Tiered Access system. We have worked with this requestor to refine and improve the quality and type of their requests, which has resulted in a decrease both in requests sent and requests denied.

    Although it makes up only a very small percentage of overall requests (1.5%), requests for access to our entire registration database have doubled from period 1 to period 2. The majority of these types of requests come from security researchers.

     

    Who wants data?

    As stated above, users of our Tiered Access Compliance & Operations system are vetted by our legal team, and disclosure is limited to those with a demonstrated legitimate legal interest. There are a few broad categories of requestors who typically have a legitimate purpose that would allow us to disclose the data—for example, while we do receive requests that are unsolicited offers to purchase a domain, this is not a legitimate purpose for disclosure, as there are other ways to accomplish the same goal without necessitating disclosure of personal data.

    The main tracked requestor types are “commercial litigation”, who need access to personal data in order to bring a legal claim of rights against the registrant; law enforcement, carrying out an investigation or in the course of their work; and security researchers, who use certain aggregate data to identify trends in digital abuse. In the chart below, “other” indicates all other requestors, including Certificate Authorities, resellers, and unaffiliated individuals.

     

    Requests by Requestor Type


    Despite recent concerns raised by security researchers—who comprise the bulk of requests for access to our entire database—the significant majority of all disclosure requests continue to come from commercial litigation interests. We continue to work with security researchers to develop ways for them to access the information they need while protecting the personal data of our customers.

    Since law enforcement historically had unrestricted access to the entire registration database, when a law enforcement officer from a jurisdiction we operate in indicates a need for data that would previously have been public, we do disclose the data to them. Law enforcement officers from other jurisdictions must still show legitimate purpose.

     

    Ongoing work

    The attitude we have seen throughout this process indicates a culture of entitlement to private personal data and a frustration about the requestor’s obligation to prove that they have a legitimate basis to access personal registrant data.

    In February 2019, the Registrar Stakeholder group published recommended minimum requirements for requesting non-public registration data. This valuable resource has been slow to gain traction in the community of requestors, though we continue to educate requestors individually. Our follow-ups, asking for information sufficient to show legitimate purpose, continue to be ignored, indicating to us that our responses to disclosure requests are unmonitored and that those disclosure requests themselves may be spurious or automated.

    We work on an ongoing basis both with trade groups and individual requestors to emphasize the importance of balancing rights—the requestor’s right to personal data necessary to defend their legitimate rights against our customers’ right to privacy. Our work includes participation in the EPDP, an effort at ICANN to solidify the rules surrounding how disclosure of personal data should proceed.

    We believe that we have developed a viable disclosure model—an opinion shared by trade groups who have indicated that the Tucows Tiered Access Compliance & Operations platform is an industry standard—and are happy to share additional details with other data custodians and with requestors to improve and harmonize the process across the industry. I will be at ICANN 66 in Montreal and available to discuss.

    Read More

  • Our Ongoing Commitment to Combatting DNS Abuse

    October 18, 2019

    Announcement, Featured, News

     Like

    Views: 1779

    Abuse is a significant problem on the Internet today and, as a provider of Internet infrastructure services, we constantly consider what role we should play in combatting this issue. We actively investigate and respond to reports of abuse, but like other registrars and registries, we’ve been alone in developing our approach—until now.

    Abuse has been a growing topic of conversation in our industry. Today, several major registrars and registries released a DNS Abuse Framework defining what types of abuse to the domain name system (DNS) we are the appropriate parties to take action on. It’s our hope that this commitment by DNS providers to address abuse on our platforms will help establish industry-wide standards that both protect free speech and ensure that the Internet remains free and open while keeping malicious online activity in check. 

    What is DNS Abuse? On the surface that should be easy to answer: it’s abusive use of the domain name system. But as you get into the details, there are often more questions than answers. Who decides what is abusive? Who should respond when it happens? As a domain name registrar, our obligations are spelled out in the Registrar Accreditation Agreement (RAA), but although we must “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse,” (RAA 3.18.1) the RAA doesn’t provide a specific definition either of abuse or of what steps are reasonable.

    For some registries, Specification 11 of their respective Registry Agreements provides more assistance, referring to specific types of behavior as security threats: pharming, phishing, malware, and botnets. Until now, however, there has not been a consistent, common understanding of how to define abuse, meaning we haven’t been able to come to an agreement on who should respond when it happens.

    This new DNS Abuse Framework proposes a shared definition of DNS abuse, relying on the Internet & Jurisdiction Policy Network’s definitions of the four behaviors listed in the Registry Agreement plus spam (but only when spam email is used as a delivery mechanism for another type of abuse, such as malware). This Framework also considers additional types of abuse that DNS providers should respond to—even if we are not required to do so under our respective contracts. Reaching a common agreement about what constitutes DNS abuse is a crucial component of any industry-wide efforts to mitigate that abuse. 

    We encourage all Enom resellers to read through the Framework and become familiar with these types of abuse. To help, here’s a summary.

    Malware is software that is installed on a device, such as a computer or smartphone, without the owner’s consent and for malicious purposes (that’s where the “mal” comes from). This includes things like viruses or spyware.

    Botnets are networks of malware-infected computers, controlled remotely.

    Phishing is the term for a fraudulent or copycat email that tricks users into thinking it’s legitimate in order to obtain personal data or financial information such as credit card numbers.

    Pharming is the use of DNS redirection to bring Internet users to a different website than the one they intended to visit, in order to obtain personal data or financial information or install malware.

    Spam is unsolicited email; it is included in our definition of DNS abuse when it’s used as part of the delivery method for these other types of abuse, such as malware or phishing.

    As one of the collaborators of and signatories to this Framework, the Tucows family of registrars is committed to taking action when our services are used for these malicious purposes. As a community of stakeholders all seeking to provide safe and reliable Internet services, we’ve come together to find the most effective and appropriate means to mitigate these significant concerns. Since rules vary from jurisdiction to jurisdiction and there is no single global standard, we hope that this Framework helps to provide one. Having a consistent, industry-wide approach will help make responding to abuse faster and more successful, and this Framework can help those who encounter abuse online to know where to best direct their concerns so they’ll be addressed promptly.

    Read More

  • Meet the New .ORG

    October 10, 2019

    Uncategorized

     Like

    Views: 1436

    .ORG has a new look! It’s the same trusted domain you know and love, but with a new, bold visual identity. We sat down with PIR, the registry behind the .ORG TLD, to learn a little more about their rebrand and how they’re gearing up to make .ORG even more impactful.

    There are quite a few elements that define a brand, and a great deal of thought was put into developing a new identity that visually, verbally, and emotionally speaks to who .ORG is and how PIR wants to connect to the .ORG community and the world. You can see it in their new logo and refreshed website — both feature exciting and energetic colors, bright imagery, and design elements that reflect .ORG’s impact worldwide, with more than 10 million domains under management.

    But a new look is only the tip of the iceberg; the “new .ORG” refers to more than a logo or color palette. It’s been a banner year for .ORG in more ways than one.

    A New Leader

    In December of 2018, .ORG welcomed a new leader — Jonathon Nevett — as President and Chief Executive Officer. Jon has brought decades of domain expertise and an impressive track record of industry leadership that has been (and continues to be) instrumental to the ongoing growth of .ORG. As Jon himself says, “I’m honored to be at the helm of such an impactful organization and want to do everything I can during my tenure to enhance the .ORG domain.”

    A Focus on Quality

    .ORG has always been one of the world’s most trusted domains, and one of the areas of focus for .ORG in 2019 (and beyond) is in upholding its reputation for being safe, secure, and trustworthy. Programs such as the recently implemented Quality Performance Index (QPI) initiative are designed to improve the quality of the .ORG name space by encouraging registrars and resellers to help ensure that the .ORG domain remains the best place for mission-based organizations to bring their ideas to life.

    Highlighting .ORGs In Action

    While .ORG has been used by some of the world’s most impactful non-profit organizations, the domain truly is for anyone who wants to do great things online. This year, .ORG will begin to shine a light on the forward-looking businesses, professional associations, civic groups, nonprofits, clubs and families who are all making their inspirations a reality using .ORG. The .ORG Story Program has launched with five unique stories of .ORGs who are making a difference in their communities and the world — and the story collection will continue to grow over the coming months.

    In addition to sharing these incredible stories, .ORG will also be hosting its first annual .ORG Impact Awards (OIAs) on the evening of October 10th in Washington, DC.  The .ORG Impact Awards program provides recognition to .ORGs that are connecting communities, making a difference in the world, and leveraging the internet for transformative change. This first annual program celebrates .ORG domain name users of all kinds and causes for their accomplishments in community mobilization, marketing and outreach, and mission achievement.

    Another major focus area for .ORG starting this year is providing educational opportunities that will empower .ORG community members to successfully leverage the Internet to achieve their myriad of missions and goals. The inaugural .ORG Community Forum, held on the morning of October 10th in Washington DC, brings together the .ORG community to collaboratively explore common areas of interest and find ways to navigate through critical challenges facing .ORGs today.

    Some Things Never Change

    While there sure is quite a bit that’s new with .ORG, some things always stay the same. For more than 30 years, .ORG has established a long-standing reputation as a best-in-class domain, particularly when it comes to domain security, trust, and reliability. And you can be certain that .ORG will continue to build on this impressive legacy – and remain the best place for anyone to build a trusted online identity.

     

    Read More

  • The Importance of Authentication in SSL

    July 23, 2019

    Advice, SSL

     Like

    Views: 2011

    Update: Our latest Digicert Webinar covers the importance of authentication in SSL, and how it’s a key factor in properly marketing and selling certificates:

    Browsers have evolved to offer a better user experience and greater attention to security. Perhaps most importantly, they now display a security warning to users when they land on a website that lacks encryption:

    This is a step forward to a safer Internet, but encryption is only part of the security equation. 

    Without a means to verify the owner of that website, the user can’t be sure who they are sending their information to. 

    When SSL certificates were first introduced, they served both these critical purposes:  

    1.  Encrypting the data in transit

    2.  Authenticating the website to which the data is being sent

    They were issued by a small handful of Certificate Authorities (CAs), accredited and compliant third parties able to provide both encryption and authentication of your website. 

    But as the Internet grew, so did the number of CAs in the market, and the variety of SSL options. And what was the main differentiating factor among these certificates? The level of authentication they provided.

    Today, SSL products range from free “encryption-only” certificates, which can be registered in a matter of minutes, to Extended Validation (EV) SSL certificates, which, as their name suggests, involve a thorough validation (authentication) process as part of their registration. 

    When choosing an SSL certificate for your site, or helping a customer select one for theirs, your main question should be: what level of authentication do I need? After reading this blog, the answer will be clear.

     

    Minimal Authentication: Domain-Validation (DV) Certificates 

    DV certificates are often described as “encryption-only” because they don’t provide confirmation of who the website owner really is. To register a DV certificate, the website owner simply needs to prove ownership of the domain name(s) they are trying to secure. 

    Think of a DV certificate like a library card: they are easy to obtain and aren’t considered a credible form of identification. 

     

     

    When to use a DV certificate

    These certificates are sufficient if you’re securing a page just to maintain browser compliance (and avoid those warnings), or if you’re hosting a site that purely provides information and you want it done securely.

     

    Basic Authentication: Organization-Validation (OV) Certificates

    Before issuing an Organization-validated certificate, the Certificate Authority vets the organization and individual applying for the certificate. If a website visitor chooses to view the OV certificate, they’ll find this verified company information included in the details. 

    You can think of an OV certificate like a driver’s license: obtaining one involves a bit more hoop-jumping, but they are better trusted as a form of identification. 

     

     

     When to use an OV certificate

    If you collect any basic personal information from your users, for example, login credentials, they’ll likely want to know who they are sending this information to. An OV certificate from a reputable CA may provide sufficient authentication and assurance in these cases. 

    However, Extended Validation certificates (see below) are often a better fit for e-commerce pages or business-critical sites where consumer trust is particularly important.

     

    Advanced Authentication: Extended-Validation Certificates

    Extended-validation (EV) certificates involve the most rigorous authentication process and, consequently, provide the highest level of assurance to website visitors. 

    What’s more, as mentioned above, they do this in a very obvious way: a green address bar that includes the name of the company. Finally, the CA Browser Forum, the SSL industry’s governing body, sets specific guidelines to govern the registration and authentication process for EV certificates. 

    These factors combine to make EV certificates the gold standard, and the assurance they provide becomes ever more essential as the average Internet user becomes savvier and security standards rise. 

    Continuing with our analogy, EV certificates can be thought of as passports: they are internationally recognized as the most trusted way to verify a website owner’s identity.

     

     

    When to use an EV Certificate  

    We recommend using an EV if you’re looking to establish a high level of consumer trust or collecting sensitive information, which could range from login credentials to national identifiers, to credit card information. While not all browsers treat EV certificates the same way, for users, the additional visual cues can inspire trust and confidence to proceed with the transaction or activity.

     

    Looking to better market your SSL lineup?

    Our partners at DigiCert have some great resources to help you educate your customers and help them find the right fit.  Through your partnership with us, you have access to an array of brands and certificate types to help make sure you properly meet the needs of your specific customer for their specific project. You can view our SSL offering here.

     

    This post was sponsored by DigiCert, an Enom partner, and leading Certificate Authority.

     

     

    Read More

« Previous 1 2 3 … 19 Next »

FEATURED POSTS

  • Tucows Celebrates 20 Years in the Domain Industry

    January 22, 2020

  • Our Ongoing Commitment to Combatting DNS Abuse

    October 18, 2019

  • We’ve refreshed our Webmail

    June 19, 2019

  • Colleagues review ICANN's temporary specification requirements.

    What Domain Resellers Should Know About ICANN’s Temporary Specification

    September 18, 2018

CATEGORIES

  • Advice
  • Announcement
  • Developers
  • DNS
  • Featured
  • Fun
  • GDPR
  • Industry Insight
  • New TLDs
  • News
  • Premium Domains
  • Promotion
  • Resellers
  • Roadmap
  • SSL
  • Uncategorized
  • WTB

ARCHIVES

  • March 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • September 2018
  • August 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • January 2016
  • December 2015
  • November 2013
Support
Report Abuse
Help Center
Contact Us

 Resources
WHOIS Lookup
Maintenance Alerts
Developers
Products & Services
Domain Name Search
Premium Domains
Web Hosting
SSL Certificates
Website Builder
Basic Email
Bulk Tools

© 2020 Enom Blog |