A recent post on MarkMonitor’s corporate blog, which was also published on Circleid, dealt with the recent issues affecting several prominent .nz domains.
Markmonitor, who describe themselves as:
“the global leader in enterprise brand protection.”
are obviously going to have a particular viewpoint when it comes to domains and how they “should” work.
In their post MarkMonitor highlighted potential weaknesses in how domains are handled by registries and registrars. However they are primarily interested in domain names that are “garnering significant traffic”.
The problem with this approach is that it could effectively create a multi-tiered system, with some domains being treated differently to others.
Bizarre?
It gets worse:
…..fingers are naturally pointing to Domainz, the registrar of record for these domains, as the party responsible for this lapse in security. While domain name registrars certainly need to ensure the security and stability of their systems, domain name registries must also step up and take responsibility for mitigating risks posed by hackers.
So basically Mark Monitor want the registry to take some level of responsibility for an incident (or potential incident) in a system completely outside their control?
This is supposedly backed up by an incredibly vague assertion:
“Some registries have recognized the risks posed to highly trafficked sites by hackers, disgruntled employees and even erroneous changes, and have implemented a new level of security which prohibits changes to specified domains; unless a manual protocol is first completed by the registrar.”
Which registries? The lack of that fundamental detail renders the value of the assertion worthless. I’m not saying that there may not be registry operators that have implemented extra “safeguards”, but if you want to change some of the fundamental aspects of how registrar / registry relations are managed on a day to day basis ie. via EPP, then you really should be in a position to provide evidence in support of your claims.
In any case Jay Daley, CEO of the .nz registry, posted a followup comment which highlights some of the issues:
“Let’s just work through the implications of that. Yes we registries could introduce a manual process for the registrar to follow on specified domains (presumably specified by the registrar). This manual process is likely to cost around 10 to 20 times the annual cost of the domain, because registry costs are all built around a high degree of automation.
So we now we would have a two tier market where the registrants that can afford to pay a lot more get much better protection.
Let’s suppose some of the less well off registrants aren’t happy with that and start to kick up a fuss. They want the same level of protection but without the exorbitant cost. Something the consumer protection regulators are likely to sympathise with strongly. What’s more, these registrants point out that you can have an automated process which achieves the same result at a fraction of the cost. One where the registry emails the registrant directly to ask them to unlock a domain or accept a specific change.
Do registries reply “no, we only work through registrars and so the two tier system is the best we can do”? Or do we fundamentally change the relationships between registry -> registrar -> registrant?
Or perhaps registrars should raise their game by being transparent on their internal controls, publishing their security audits, developing an industry certification scheme and so on, rather than expecting registries to protect them from themselves? And perhaps registries and regulators should begin to insist on some of that?”
I’d have to wonder if the author of the Mark Monitor piece truly understands how the mechanics of all this works…
The same person who penned the .nz article also posted about how domainers were supposedly abusing companies’ IP.:
“One of the issues, which isn’t discussed in the report, is one that is of special interest to brand rights holders. Domainers have been taking advantage of rights holders’ brands by registering domains containing variations of famous marks – and then either directly or indirectly displaying pay-per-click links from advertisers”
Considering that most of the domain monetisation companies won’t monetise trademark domains to tar all domainers with that brush is just scaremongering plain and simple.
John McCormac says
“fingers are naturally pointing to Domainz, the registrar of record for these domains, as the party responsible for this lapse in security. ”
Strange that. Normally when something like this happens one blames the crackers. But in the bizzaro-world of MarkMonitor it is the registry?