Rogue Domain Registrars Pose Challenges

The shadow of rogue Internet service providers (ISPs) and registrars has long loomed over discussions of Web security -- a fact underscored by the recent controversy involving Internet.bs, a domain name registrar accused by researchers of being tied to a third of all rogue online pharmacies selling counterfeit drugs.

The report (PDF), which was the result of an undercover effort by LegitScript, has sparked a new round of discussions about policing the Internet ecosystem and whether the Internet Corporation for Assigned Names and Numbers (ICANN) is doing enough to combat the problem.

"The main problem is the model of self-policing has failed and governments around the world are fed up," says Garth Bruen, president of Internet security research company KnujOn. "We are very close to falling over into a model of heavy-handed and inconsistent government regulations. Even the U.N. is making a big push to take over, and everyone is terrified of that. If the registrars like the self-policing model, then they actually have to self-police."

The situation has been thrust into the spotlight due to LegitScript’s report earlier this week that the company had posed as a rogue online pharmacy network in an effort to test Internet.bs' willingness to work with questionable companies. According to LegitScript, it was able to get Internet.bs to register more than 175 domains despite saying it was selling counterfeit drugs and that its websites had been shut down by regulatory agencies, such as the U.S. Food and Drug Administration.

Internet.bs has denied any wrongdoing and accuses LegitScript of being deceptive in its dealings by registering domains with fake WHOIS data. The registrar also claimed its policies are meant to respect the laws of different jurisdictions.

"In each single email mentioned in the ... report, Internet.bs Corp. is always making it clear that the domain name has to comply with applicable laws," the registrar said in a statement. "The fact that a Canadian pharmacy domain is not subject to FDA regulations is a clear example. On the other hand, while FDA regulations do not apply to Canada, other and as stringent as FDA regulations apply to Canadian pharmacy domains."

In theory, ICANN-accredited registrars like Internet.bs are bound by rules established in their contracts with ICANN that include having accurate WHOIS data for the domains they register. In practice, however, the stipulations on having accurate WHOIS data are "fundamentally unenforceable," Bruen says. This, he argued in a blog post earlier this week, is due to language in the contracts. Since a registrar cannot be held in breach of contract for failing to correct or delete a domain with false WHOIS data, there is no incentive for the registrar to force the registrant to provide accurate information.

"ICANN ultimately has no authority in this critical area, which is the foundation of a trust relationship between consumer-domain owner-registrar and ICANN," he told Dark Reading.

ICANN did not respond back to a request for comment before publication. However, LegitScript president John Horton says his company showed its report to ICANN roughly three weeks ago and that the organization has not indicated what action it would take.

"My understanding is that they are still reviewing things," he says. "However, ICANN unfortunately has a history of turning a blind eye to crime-friendly registrars. The basic rhetorical point I think our report makes is, 'If ICANN won't de-accredit a registrar over this sort of behavior, then it's pretty clear that no matter how clear the registrar's support of cybercrime, ICANN will tolerate it.'"

Internet Identity CTO Rod Rasmussen says that, in general, ICANN compliance can only work with the contracts and sanction regimes they have in their agreements with registrars and registries, and are limited to working with the data and evidence people report to them.

"ICANN compliance also has a wide variety of issues to deal with on a daily basis that aren't really seen publicly, but are important in ensuring that domain registrars and registries are living up to their various responsibilities for handling DNS and domain registration data," he says. "I think there's a mistaken assumption out there that ICANN is well-aware of all the abuse issues happening at various registrars. While there is some level of awareness, there also appears to be a gap in reporting various abuses to ICANN compliance so they can prioritize how they look at various registrars.

"There is also a conservatism in how ICANN approaches 'problem' registrars that in my personal opinion is too conservative. But that's not necessarily coming from the compliance department itself," Rasmussen adds. "The structure of where compliance lives within ICANN is certainly something that may need looking at to ensure it can perform its functions adequately. ICANN is both a corporation and a community, and it's a very difficult political environment to get some things done at times, as there are varied interests pulling and pushing back at each other."

In the aftermath of LegitScript’s report, the National Association of Boards of Pharmacy (NABP), which represents pharmacy regulators in a countries including the U.S. and Canada, called on ICANN to "take action" against Internet.bs. The Spamhaus Project weighed in as well, with Vincent Hanna contending in a statement that many registrars need to "step up their game in dealing with abuse issues."

Meanwhile, Internet Identity's Rasmussen says ICANN compliance faces many challenges. "But without the community continuously reporting, even if it seems to be falling on deaf ears at times, the problems will not be addressed," Rasmussen said.

"You may have noticed that ICANN recently used new sanctioning powers that were provided to it in the most recently signed RAA to suspend Alantron. While this was for failing to provide access to WHOIS data on a systemic basis, and long overdue, it nonetheless happened ... I also wouldn't be surprised to see them looking a lot harder at Internet.bs or other problematic registrars going forward when they get a slew of reports about abusive behavior that appears to be perpetuated or ignored by them."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.