Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
The Internet Your Rights Online

New Rules Make Domain Hijacking Easier 399

Tanktalus writes "Netcraft seems to have a little ditty about new rules from ICANN that take effect on Friday making it easier to hijack domain names. Essentially, if someone tries to take your domain, and you don't answer within 5 days, they now assume you are okay with the transfer. Previously, the default answer was no, and you had to explicitly state your acceptance of the domain transfer. Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!"
This discussion has been archived. No new comments can be posted.

New Rules Make Domain Hijacking Easier

Comments Filter:
  • by Anonymous Coward on Wednesday November 10, 2004 @01:09AM (#10774222)
    As they point out in the article, GoDaddy (and others) have a domain locking feature that will still prevent these transfers.
    • by DeepFried ( 644194 ) * on Wednesday November 10, 2004 @01:18AM (#10774283) Homepage
      I switched to GoDaddy for this exact reason. They also happen to have great 24/7 phone support unlike my previous very, very,crappy registrar. [namesecure.com]
    • Speaking of which, what kinds of experiences do people on slashdot have with domain registrars? Are there any that won't screw you over, on this and other issues?
      • by Anthony Boyd ( 242971 ) on Wednesday November 10, 2004 @02:28AM (#10774543) Homepage
        Speaking of which, what kinds of experiences do people on slashdot have with domain registrars?

        Reading though this thread, I already am impressed with Joker, as they auto-locked everyone's domains, it appears. Very nice of them. I've used Verisign/Network Solutions, GoDaddy, Dotster, and one other I forget.

        Network Solutions is terrible. I admit, they do have customer support, and when I call, I rarely wait more than a minute to talk to someone. That's good. But they drag their feet on anything that will cost them money or lose them money (such as trying to transfer AWAY from them). Because of their long, long agreement (that took days for me to read through properly) and because they took soooo long to automate even the simplest of changes, I just transferred my last domain away from them 2 nights ago. What a mess -- the site was down, so I called and they couldn't do a thing, so I waited for it to come back up and then unlocked the domain myself, but even though it showed unlocked, they kept rejecting my attempts to move the domain! Eventually after more calls and waiting, it finally went through. Ugh.

        Dotster was fine, but I moved away from them about 2 years ago. I don't remember the major reason, but it may have been that GoDaddy was just cheaper then.

        GoDaddy is similar to Dotster, but with TONS of ads. I mean, so many that it will drive you insane. However, I found the trick: I've listed all my sites privately, so my email and address never appears in a listing. Also, I have no problem saying "no thanks" to all the ads that appear when I order something. And finally, I found all the knobs and switches that disable all the marketing emails, spammy offers, and other lameness that they try to email you. After doing all this, I'm fairly happy. I never get email unless it's something official, I have low rates, and everything seems to be automated. But this solution is not for people with a low tolerance for configuring and tweaking the ads off.

        For the company that I cannot remember, all I can say is: stay away from small registrars, especially ones that come with a Web hosting package. I bought a hosting package, needed a domain name, and used their little built-in registrar. What a mess. No features, and the registrar was tightly coupled with the hosting, so moving away was miserable. Stick to the known names you'll see mentioned a lot here.

        • I agree about the tons of ads in GoDaddy, but it's bad only while you're checking out stuff (so unless you buy domains on a daily basis you should be fine). Never got any spam from them either, their service (including helping out with a borked transfer from Netsol) has been excellent, and their automated interface is very good, unlike (say) Register.com which charges a bundle but has one of the lousiest web faces I know.
        • by captnitro ( 160231 ) on Wednesday November 10, 2004 @08:31AM (#10775648)
          I have strong recommendations for Joker [joker.com]. I know a lot of this comes standard with a lot of places, but lemme list the talking points: Cheap ($~12), good support, free nameservers, easy administration interface, and if you use their nameservers they'll let you use their MX forwarding, and if you do, you can use their spam filters. I have a lot of clients who have never heard of a DNS entry much less the process for domain administration, and none of them has ever had issue with using their site to create and use an account.

          I suppose my one catch is, they seem to be somewhat Euro-centric (this, of course coming from my US-centric mind), so some of my new users are confused by if they need to pay VAT, or why some of the transfer processes are bound by German (I think) telecom laws designed to protect the consumer (e.g., for one action on a domain, you used to be required to sign a form and fax it to them). It works out well, though, since they protect the user from any sort of fudgery as mentioned above.. like five day steals.
      • I've been using Directnic.com for a while now (couple of years) and never had any trouble. I even use their directdns service for one of my domains.

        I don't think they have domain locking, tho.
    • My instant reaction to this without even reading the article was to jump straight to Read More with the intention of hitting the Reply button to mention GoDaddy. I received an email from them yesterday explaining the ICANN change and the locking feature (which costs nothing extra), and I immediately locked my domains.

      By the way, I'm only defending them as a registrar, not as a hosting service. Somebody below claims their hosting sux. I have no idea. But you don't have to use their hosting to use them as a
    • Go Daddy makes it hard for you to transfer the domain between members of the same family. I know someone who had a domain that her father bought for her and after a year he said she had to take over the payments. She tried to get them to start billing her for it instead of her father and they refused. So I can see that you are safe with your domain not being transfered since they won't transfer it under any circumstances.
    • Quick check with my registrar, and top news story:

      Today, November 10th 2004, Joker.com introduces the domain lock feature as announced.
      All domains will be protected through "domain lock" per default. Unlocking (and also locking, of course) can be performed in the 'service zone' as needed.

      The intention for this is to improve security and simplicity for our customers.

      Your team from Joker.com


      Thank you!!!
  • Hmmm... (Score:5, Funny)

    by Anonymous Coward on Wednesday November 10, 2004 @01:10AM (#10774231)
    *waits for the slashdot editors to take a week's vacation*
  • simple solution (Score:4, Insightful)

    by rubee ( 826908 ) on Wednesday November 10, 2004 @01:10AM (#10774232)
    someone give me a sample of the email notice and I'll whip up 4 lines of perl to take care of that.
    • by Anonymous Coward on Wednesday November 10, 2004 @01:17AM (#10774276)
      cronjob
      every Tues and Fri
      echo "I refuse permission to transfer domainname.com "> /usr/sbin/sendmail myregrisbator.com

      if a few million domain names did likewise...
      • by Anonymous Coward on Wednesday November 10, 2004 @01:52AM (#10774429)
        Yeah!

        Lets all overwrite our sendmail daemons with one line of text. That'll show em!
        • Re:simple solution (Score:3, Informative)

          by mav[LAG] ( 31387 )
          I've done it when installing qmail under the gun at a very large company. Instead of (not exact syntax - too lazy to look it up):

          echo "This is a test mail" | /usr/bin/qmail-inject

          I did:

          echo "This is a test mail" > /usr/bin/qmail-inject

          whereupon I confidently proclaimed that all was done and so left for a well-earned long weekend. The following Monday morning was not enjoyable. At least the incident taught me several very sharp lessons which I haven't forgotten...
      • Re:simple solution (Score:4, Insightful)

        by Errtu76 ( 776778 ) on Wednesday November 10, 2004 @02:34AM (#10774556) Journal
        Then a few million people will suddenly need to reinstall sendmail. If you try to quote some geeky commandline, make sure you get it right.
    • by Spy der Mann ( 805235 ) <spydermann DOT slashdot AT gmail DOT com> on Wednesday November 10, 2004 @01:29AM (#10774339) Homepage Journal
      1. Use a DDOS on the ICANN's website so they can't respond for 5 days.
      2. Ask to buy their domain
      3. Wait 'till they can't answer....
      4. You're done! :D
  • Lock it to block it! (Score:4, Informative)

    by LostCluster ( 625375 ) * on Wednesday November 10, 2004 @01:10AM (#10774233)
    Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!

    This advice is a bit extreme... you can rest easy so long as you turn on domain locking at your registrar. That'll default all requests for transfer to a fail until it's removed... so all you need to do is keep your password to your domain registrar accout from falling into enemy hands.

    Maybe this is a good time to educate the casual website operator about the domain locking feature, and what it's useful for. The new system's assumption is if your domain is unlocked, you're sending out a signal that you're intending for a transfer to happen soon. Maybe the rules should have locking as a default-on thing, but they don't so it's buyer beware for now.
    • by WilliamX ( 22300 ) on Wednesday November 10, 2004 @01:22AM (#10774307)
      You can also rest easy since the registrar originating the transfer is required to validate the request with the current registrant, using the information in whois, and get an affirmative resposne from them before even initiating the transfer. All this new policy does it set out the reasons why a losing registrar can deny an outgoing transfer. In domain transfers, since the registry/registrar split happened, the gaining registrar has ALWAYS been responsible for validating the transfer request with the proper registrant, and not assume that the data given in a transfer order is corrent. The article is not thorough or complete in explaing what is really happening here.
      • by 1u3hr ( 530656 ) on Wednesday November 10, 2004 @03:09AM (#10774638)
        Just to restate this in even simpler terms:

        The Fucking Article (and even more so the editorial comments here) is WRONG.

        The linked Icann paper's first line is "Registered Name Holders must be able to transfer their domain name registrations between Registrars". NOTHING TO DO with transferring ownership of domains; but of the registrars. Could be nasty, and even a first step to having the domain hijacked, but the ownership of the domain is unaffected.
  • People with small domains should beware?

    Size isn't everything, you know...
  • by account_deleted ( 4530225 ) on Wednesday November 10, 2004 @01:12AM (#10774244)
    Comment removed based on user account deletion
    • Haha. (Score:2, Funny)

      by Anonymous Coward
      Can you imagine waking up one day and finding Slashdot full of articles praising Bush and promoting school prayer?
    • by Beolach ( 518512 )
      I was thinking more Passport.com [slashdot.org] and Hotmail.co.uk [slashdot.org]
      • Re:w00t w00t (Score:2, Informative)

        by feargal ( 99776 )
        While acknowleding that this is a joke, I will point out that this doesn't affect .uk domains at all, or any other ccTLD for that matter.
    • It would require all the operators take a 5 day COMPURTERLESS vacation!
      You know this is slashdot and chance of that happening is ZERO.
      [for mathematicians, it is zero, not a near zero but a real zero.]
  • by Sophrosyne ( 630428 ) on Wednesday November 10, 2004 @01:13AM (#10774251) Homepage
    The upside is this will all end after the first lawsuit against ICANN.
    Which should be in about 7 days.
  • You never know who could go down...someone could steal their name!

    Cache [66.102.7.104]

  • I realize that the primary use of tracking graphics is for spam, but wouldn't something like that be useful here?

    If someone is unable to read the email in a way that loads the tracking image, then the server can just assume that the email was never received. Once the image has been downloaded, the request countdown can begin at T-minus 5 days.

    This wouldn't even affect pico mail users because the image wouldn't load in the first place, thus the countdown would never begin. If they receive the email, they
  • If send ICANN a letter and a dollar saying im buying their corporation , and they dont tell me no before friday, im rich?

    Whuhu. New busisness model.
    1. Send letter
    2. Wait 4 days.
    3. Suck the profits out before next guy sends letter....
  • Nothing has changed (Score:5, Informative)

    by WilliamX ( 22300 ) on Wednesday November 10, 2004 @01:17AM (#10774279)
    Nothing has changed really. This has ALWAYS been the way the system ran, only some registrars choose to ignore it, and setup abusive transfer blocking mechanisms, and called them "Safety" measures for their customers instead of the lock-in attempts they really were. The problem with the old way was that some unscrupulous registrars (NetSol for instance)made it harder to get your domains away from them, forcing you to jump through hoops, and making them harder and harder to accomplish, and then deny them for wrong reasons. The new policy only sets out EXPLICIT rules about what are allowed reasons for a domain transfer to be rejected by the current registrar, and a process by which disputes over transfers will be handled. Other than that, nothing has changed really at all, and any news articles saying otherwise are less than properly informed, and listening to alarmist rhetoric instead of understanding how the system worked until now, and how it will work in the future. As a previous poster pointed out, the best thing to do is to lock your domains with your current registrar, just make sure that they provide an easy means to unlock them when you need to make changes, or when you really do want to go to a new registrar.
    • by Animats ( 122034 ) on Wednesday November 10, 2004 @01:58AM (#10774450) Homepage
      That's exactly right. This action was taken by ICANN because some registrars (notably Verisign/Network Solutions) were very uncooperative about transfers of domains out from their registry.

      Note that this isn't about transferring a domain from one owner to another. It's about transferring a domain from one registrar to another while keeping the same owner. Transfers of ownership come under different rules.

      • Note that this isn't about transferring a domain from one owner to another. It's about transferring a domain from one registrar to another while keeping the same owner. Transfers of ownership come under different rules.

        While you may be correct about the rules, registrars don't really have a way to tell if the request for transfer is actually coming from the owner, of if it is a transfer to a new owner, except by emailing the current owner -- in other words, practically, these rules apply to ownership chan

  • or microsoft.com, or cnn.com, or aol.com.

    I swear to god, as soon as some huge website run by billionaires gets its domain transferred out from under them, heads will roll and this assinine "rule" will get changed.

    Or perhaps someone at icann.org is asleep at the switch themselves? (hint hint)

    Of course, I just doublechecked that warrenernst.com has the correct contact info. ;-)

  • by hellfire ( 86129 ) <deviladv AT gmail DOT com> on Wednesday November 10, 2004 @01:19AM (#10774290) Homepage
    Joker.com [joker.com] is my registrar and they emailed me 3 days ago about the changes, and declared all domains under their service were auto-locked by default!

    I had no idea about the regulations until they emailed me first. First they helped me transfer my domain away from a bad registrar, now they help me through new regulations without me lifting a finger.

    Buyer beware of other services, but that's why you sign up with a reliable service with good references! :) Now if only I could get this kind of service from my credit card.
  • I'm not bothered by this. I never had any faith in ICANN in the first place. They seem to be good for nothing except taking expensive vacations.

    More importantly than the crap ICANN spews is your choice of a registrar. At least once a month, I end up in a wrestling match over a client-domain that is being held hostage by a fly-by-night, cheapie registrar. The latest happened about two weeks ago where this dumbass registrar decided to deactivate domains a month before they were set to expire if they were
  • Like it or not, the big fish MS forgot to do this and had their domain handed back to them in a nice manner by some dude who was clearly too harmonious with nature.

    Hey, I think people should know when their domains are expiring; maybe somebody could make a cute 'whois' plugin for firefox that tells you when the tab's->URL's->domain expires. I can imagine some marketers monitor expiration dates, and register them the moment they expire ... for no other reason than some random name script generates the
  • SPAM? (Score:5, Interesting)

    by EEBaum ( 520514 ) on Wednesday November 10, 2004 @01:30AM (#10774342) Homepage
    Subject: From the Honorable Janissary Robert M. Jacobson

    Hello sirs,

    Writing this letter comes at a times of great anguishes to my community. We have obtained funds in the amount of US$3,000,000 from the Nigerian government, after the passing of Prince Montebu Wilson, to whom we are the singlest heirs. However, due to political difficulties we are unable to secure the actual cash moneys ourselves. We require your assistance, for which we would thankfully provide a commission of $500,000 for your troubles. In order for this transaction to be completed, we hereby requests that your domain, www.coolinternetstuffthatisgreatandfun.com, be transferred to us immediately. Lack of action will be assumed as an affirmative response after five days.

    Do YOU ever read more than a few words into those?
  • Makes a change (Score:5, Insightful)

    by nihilogos ( 87025 ) on Wednesday November 10, 2004 @01:36AM (#10774362)
    From the usual shitfights I've gone through trying to get a domain transferred even though I own it.

    Network solutions has an outdated email address listed for the admin and technical contact, and in order for you to change it the require faxed copies of a passport, credit card, finger prints, a 500ml sample of your blood and any children or pets you might have as hostages.

    2 years and several attempts later and, although they occassionally manage to transfer the domain OK, the email address is still fricken wrong. These new ICANN rules could make my life much easier next time we change ISPs.
  • Possible motivation (Score:3, Interesting)

    by daveschroeder ( 516195 ) * on Wednesday November 10, 2004 @01:37AM (#10774365)
    Might it be that ICANN is trying to force people to keep their WHOIS information current (or at the very least have a correct contact email address)?
  • I'm more concerned with them requiring accurate contact info.

    I used to have my real name, address and phone number in my whois info. I used to get tons of junk mail, and I even had people PHONE me to ask if I'm selling my domain, and then say they don't actually want ot buy it. One time a guy called when I wasn't home, and got my ex. She wouldn't tell him where I was (duh). When he called later and got me he told me that my secretary was very rude.

    I do have a real Email address in the contact, and frankly
  • by Savet Hegar ( 791567 ) on Wednesday November 10, 2004 @01:47AM (#10774410)
    I had a situation a while back with a hosting company. A client I maintain a website for decided to host their website through 1dollarhosting.com

    The sign-up form very cleverly asks you for the information to transfer your domain name TO them.

    When trying to renew the domain name, I was told by their employees that it is against their policy to release domain names. They let people transfer them in, but they will not release them to other registrars.

    After digging a little deeper, they are a partner of Register.com. It took hours (literally) to get someone with enough authority on the phone (at register.com) to release the lock that they had on the account so a transfer would work.

    Thankfully, the domain name was finally transferred and the guy at Register.com agreed that what they were doing was unethical....though that didn't stop them from making it a complete PITA.
  • No one has made jokes about a little Diddy [google.com] yet? I'm disappointed!
  • It would seem that this time, Netcraft really did confirm it.

    Bravo.

  • Re: (Score:2, Redundant)

    Comment removed based on user account deletion
  • First off, anyone who has a clue (and granted that's definitely not everyone) has their domains set to "Registrar-lock" already - this means when a transfer request is made it is automatically denied by the registrar right away. This stops all sortsa fun and games, in the past mainly to stop assholes like DROA (Domain Registry of America) and Register.com from "slamming" my (and other's) customers. See these assholes send REALLY OFFICIAL looking "renewal notices" to domains expiring soon by postal mail, w
  • by xoboots ( 683791 ) on Wednesday November 10, 2004 @02:28AM (#10774541) Journal
    Damn, probably 90% of the posts in here need to be modded to -1. These rules relate to the transfer of a domain by the domain owner of that domain from one registrar to another. It is not about claiming (or hijacking) someone else's domain as the headline improperly entices you to think.

    This is a good thing people! It helps to ensure that domain owners can transfer their registrations when they so wish. In fact, the domain owner has to first request the transfer before it even gets this far.

    Sheesh.
    • It is not about claiming (or hijacking) someone else's domain as the headline improperly entices you to think.
      Didn't R which FA? The Netcraft article begins
      Domain names could become easier to hijack as a change in domain transfer rules takes effect Friday.
  • by feargal ( 99776 ) on Wednesday November 10, 2004 @02:29AM (#10774545) Homepage
    There are four parties involved in the transfer process:
    • The registrant or domain owner;
    • The losing registrar;
    • The gaining registrar.
    • The central registry - central repository of records.
    Got that?

    Okay, the way a transfer was supposed to work was as follows:
    1. The domain owner submits a transfer request to the gaining registrar
    2. The gaining registrar was to seek confirmation of the transfer from the domain owner, based on existing whois information, and independent of the request.
    3. Having received such confirmation, they notify the central registry that the transfer is valid.
    4. The central registry notifies the losing registrar of the imminent move, to give them a chance to block it should there be unresolved billing issues or other disputes. Only in such a case was the losing registrar meant to block the transfer.
    5. If the losing registrar does not object, the transfer is executed.
    (Steps 2 and 4 actually run in parallel, but that's irrelevant.)

    The Problem
    However, a number of losing registrars put in a policy some time ago that they would also seek confirmation from the domain owner, despite the gaining registrar having already done so in step 2. They would object to all transfers unless they received authorisation to their liking from the domain owner.

    One registrar in particular required a copy of an Australian driving licence or passport, or a notarised letter for non-aussies. In this case it made the administrative cost of a transfer prohibitively high. The did not require this level of identification when a domain was being transferred to them. (Before you ask, yes the admin details were correct. They were just being berks.)

    Invariably this policy was put in by registrars to try to prevent customers moving to other registrars, by adding additional hoops. The 'excuse' put forward was to reduce exposure to legal actions.

    When one tries to cover ones ass too much, one's hands end up covered in shit.

    Not all registrars did this - the nicer ones honored the word of the gaining registrar and only interfered if there were billing issues etc.

    The Solution
    The new ICANN rules is a compromise - it now explicitly allows the losing registrar to seek the double confirmation, but they can no longer block the move just because the customer didn't jump through enough hoops for them
    It does not require the losing registrar to do so, so this is business as usual for the nice registrars.

    The important point is that the gaining registrar still has to verify the transfer in the first place, as it should be. The customer confirms their identity once, and no more.

    What's to stop a registrar faking authorisation? The loss of their ICANN accredidation, and hence their business.

    Final point: although this is a non-story, it *is* important to make sure your admin details, especially your email address, are correct and up to date. Just as you would check your entry in the phone book, check your whois data too.
  • by Ron Bennett ( 14590 ) on Wednesday November 10, 2004 @02:58AM (#10774619) Homepage
    Think transfer security is a problem ... there's a security problem far worse:

    (a post of mine reposted from ICANNWatch http://www.icannwatch.org/ [icannwatch.org] - slashdot.org rejected it, but I'm used to that LOL!)

    -----

    Bogus "Whois Problem Reports" are increasingly going from being an annoyance to being a real security risk. Some recent incidents I've experienced due to Whois Problem Reports *merely* being filed:

    * Dotster, about two weeks ago, threatened to delete a domain if I didn't respond.

    * BulkRegister, just yesterday, threatened to suspend a domain if I didn't respond within 5 calendar days.

    What good are Whois Problem Reports when anyone can file one and there is virtually no screening performed to ensure such reports have any validitity to them; reports filed on some of my domains claimed everything was wrong, including the expiration date - what!? Talk about pure nonsense!

    As of now, if one wants to cause a registrant problems, all they need to do is file bogus reports at the Internic link below (it's so easy, it's frightening!) - heck, if someone really wanted to be deviant, they could spread a virus that sends bogus Whois Problem Reports from hijacked computers...

    http://wdprs.internic.net/ [internic.net]

    In addition, some registrars, such as GoDaddy, charge a fee to the registrant for *merely* reviewing a Whois Problem Report for a particular domain, regardless of whether the report is valid - see links below for more details:

    http://www.dnforum.com/showthread.php?t=67862 [dnforum.com]

    http://www.webhostingtalk.com/showthread.php?s=&th readid=328696&perpage=15&pagenumber=1 [webhostingtalk.com]

    There is much talk about the transfer policy changes and security, yet bogus Whois Problem Reports is a security risk many times worse.

    Some ICANN policy changes are needed pronto regarding Whois Problem Reports...

    1. Requiring more than just a name and email for people making complaints - they should have to provide a postal address that's verifyable and/or some other information.

    2. Screening of such reports - permit registrars, if they're not already, to toss out Whois Problem Reports that they feel are invalid without involving the registrant; stop wasting their time over this nonsense.

    3. A standard on how registrars handle Whois Problem Reports

    * including a reasonable time for the registrant to respond, such as 30 calendar days, before any action is taken ... as of now, some registrars do little while others suspend domains within only a few days - so if one goes away on holiday, they could very likely come back and find their domains suspended/deleted.

    Something needs to be done before bogus Whois Problem Reports get any further out of hand ...

    Ron Bennett
  • cool... (Score:2, Funny)

    by torqed ( 165298 )
    now I'll be able to get that domain I've been waiting for!
  • now i can get my spam-domain!
    since most of their whois information is fake, spammers won't receive (e-)mail.
    all their domain are belong to me.
    after one week i change the ip-number attached to the domain to 127.0.0.1 and they're owned :)
  • by _Hellfire_ ( 170113 ) on Wednesday November 10, 2004 @03:43AM (#10774747)
    Everyone RTFA. This is not domain hijacking. This is a rule that allows a registrar to transfer your domain to another registrar. So you don't have to worry about someone "stealing" control of your domain or replacing your website or engage in fantasies about gaining control of microsoft.com cause that's not gonna happen. Microsoft will still control the domain, but if the rule is invoked, it may be at a different registrar.

    Stupid rule if you ask me. All this does is put more pressure on Registrars to respond to frivolous requests by other (unethical) registrars phishing for business.
  • As a little guy(TM), how I can give my feedback to ICANN?

    ICANN seems like a big machine, run by... who knows? Who decides on these rules? Didn't they learn anything from the sex.com case? (perhaps that is too long ago and they have forgotten already) If they expect a big spike in appeals (as mentioned in the article), shouldn't that be indication enough that this rule change be reconsidered?
  • This is transfers between registrars not between domain ownership.

    It does help you actually if you need to move domains along swiftly.

    Also many of these still use an antiquainted technology called facsimile because for some reason, this is a highly secure method of doing business, oh, and a rubber stamp helps.

    If someone hijacks a domain, then it will stil be fraudulent, remember no security thorugh facsimile, I mean, obscurity.
  • by RAMMS+EIN ( 578166 ) on Wednesday November 10, 2004 @03:57AM (#10774785) Homepage Journal
    Policy on Transfer of Registrations between Registrars [icann.org], I don't find the part that states that the transfer is approved if the domain owner (i.e. the administrative contact) does not respond in time.

    I do find language that states the transfer will be approved if the Registrar of Record does not respond within 5 days. This, however, is a Good Thing, as it makes it harder for the losing registrar to prevent you from transfering your domain. Of course, they can still just deny your request and hope they get away with it.

    The way I see it, this gives domain owners (a little) more control over their domains. I don't see what's wrong with that. I never understood why transfers need to be approved by the losing registrar anyway - why would they ever approve losing a customer?
    • Because it's not easy to determine if the new registrar has any rights to request the transfer in the first place. For instance, the new registrar might not actually represent the person who bought the domain, or the current registrar might have a contract with the owner that restricts the owners actions (for instance denying transfers until accounts have been settled in full), or there might be a court order in place restricting what can be done by the domain etc. Letting registrars unilaterally transfer d
  • It has been exploitet too just two months ago, when ebay.de was hijacked by a 19yo kid.

    It seems that Tucows (the domain registrar) messed up by not responding to DENIC's inquiry.

    http://www.heise.de/newsticker/meldung/50661 [heise.de]
  • by elronxenu ( 117773 ) on Wednesday November 10, 2004 @04:53AM (#10774920) Homepage
    There are two main problems with the new protocol.

    First, the current registrar must approve a transfer of domain without obtaining the registrant's approval. This is contrary to common sense. If the purpose is to stop registrars from unreasonably holding domain names, then the appropriate response is to require the current registrar to approve a transfer request when the registrant has approved it. If the registrant approves, and the current registrar rejects, that's an appropriate cause for complaint.

    After all, isn't it more important to protect existing domains from unscrupulous transfers, than to prevent rogue registrars from accepting legitimate transfers? I may have one legitimate reason to move my domain from one registrar to another but there are a large number of scammers who would gladly capture my domain for fraud or other purposes.

    It's a bit ridiculous that every registrar should be forced to implement a locking function, and every domain holder should be forced to lock every domain, all at once, in order to protect themselves from fraud.

    Secondly, the "unlock" action required prior to a legitimate transfer opens a window of time in which a domain can be stolen - in programming parlance, a race condition. It's a problem with the protocol.

    Just the other day I transferred several domains from Joker to GoDaddy. Joker isn't very easy to deal with, and GoDaddy is cheaper, so I decided to move the Joker ones to GoDaddy.

    When I jumped through the Joker hoops to tell them that I wanted to transfer my domain name, they opened a "transfer window". I was shocked when they said that, during the transfer window, _any_ registrar could grab my domain. Not just GoDaddy. Not just me. Any user of any other registrar could have issued a transfer request for my domain name, through their registrar to Joker, and Joker would have accepted it, if the request arrived before my legitimate request from GoDaddy. Indeed, any user of GoDaddy could have done the same thing, because there's nothing in the request itself to say that it was me who instigated that request.

    What happened to the good old days when a request for a transfer resulted in an email from my registrar to me, asking for my approval. If I approve, the transfer will go through. If I'm not there or indisposed, overseas or not reading my email, then the transfer will not happen.

    • When I jumped through the Joker hoops to tell them that I wanted to transfer my domain name, they opened a "transfer window". I was shocked when they said that, during the transfer window, _any_ registrar could grab my domain.

      I suspect that the people at Joker were trying to intimidate (or FUD) you into staying with them instead of transferring to another registrar. The protocol specifies that the gaining registrar has to get confirmation of the identity of the domain owner making the request before init
  • by atcurtis ( 191512 ) on Wednesday November 10, 2004 @05:16AM (#10774973) Homepage Journal
    Flood Network Solutions with notices that icann.org ownership is being transferred to someone else.

    If there are enough of them, then there got to be at least one which isn't answered within the 5 day timeout.

    And whoever wins, wins control of the Internet! Whoot!

    Get emailing, theres no bigger competition than this!

  • by theonlyholle ( 720311 ) on Wednesday November 10, 2004 @06:03AM (#10775067) Homepage
    For .de domains, this has been the procedure ever since I've been in the domain business. The way that most registrars have implemented it is that they will send an automatic NACK (not acknowledged) to any incoming transfer request that their customer hasn't specifically asked them to authorize. Many registrars then send a notification to their customer after the transfer has been denied, giving them the opportunity to send a LATEACK, which overrides the previous NACK, but this way the rules are reversed again. If the registrar doesn't offer this LATEACK, it's "allow and try again" if you really want the domain to be transferred. What this does achieve is that if a registrar goes out of business silently, you can still get your domains transferred from them because there won't be anybody or anything sending NACKs anymore...

No spitting on the Bus! Thank you, The Mgt.

Working...