Feeds

Where the hell is my website?

Part I: The nightmare and the US system

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Feature "My primary domain name has disappeared from the face of the earth without warning or any reminder whatsoever earlier this morning," - Register reader's email to us, December 2002.

"You are offering for sale my domains, which are not yours to sell," - a reader's email to Network Solutions, cc'ed to us, December 2002.

Non-profit organisation ICANN was created by the US government in 1998 with the sole purpose of turning the government-run Internet system into a global commercial entity. Yet five years later, we are still receiving emails like the two above. Domains and websites go AWOL, businesses see their entire email systems vanish overnight, voluntary organisations are helpless to remove pornography from their homepage. Why?

Those involved - and implicated - is such situations argue that the sudden loss of someone's domain is a rare occurrence, an inevitable but unfortunate result of the hundreds of thousands of domains bought, sold and transferred every day.

Perhaps it is. But that does not explain why the companies which make millions, billions every year from dealing in domains are continuing to drag their feet over simple changes to the system that would offer their customers a decent level of security. The truth is they have no real reason to make any changes.

In fact, by maintaining a system in its current flawed status, many stand to gain financially by offering premium services which paper over the cracks. And they need not worry about being sued by anyone who falls into those cracks, because the courts have decided they are not legally responsible for any errors, even when they admit they have caused them.

What, why, when, who, how?

Of course, the ICANN-run system, which covers the domains ending .com, .net, .org, .biz, .info among others, isn't the only organisation which sells spaces on the Internet. There are also individual countries that run and own their own domains, called country-code domains.

Different philosophies over how the Internet should be run have led to wildly different systems around the world. But we have chosen to compare two different arrangements set up by two similar markets, namely the market for .com addresses (run by ICANN) and the market for .co.uk addresses (run by UK company Nominet).

Both domains are open to anyone worldwide, are high-profile and are for entirely commercial means. And, as we shall see, both have their faults, both their advantages and both need to enforce new codes of conduct to redress the balance between competition in the market and the rights of the consumer buying the end product.

The .com system

The evolution of the non-profit organisation ICANN has gone horribly wrong and the system for purchasing domain names reflects this in all its complexity. Set up to provide the technical foundation for a commercial Internet, ICANN has unfortunately become a self-serving and secretive body which consistently puts corporate interests before a stable and egalitarian Internet.

Until June 1999, there was only one company which sold domain names - Network Solutions - and it also ran and maintained the definitive directory of all websites on the Internet. ICANN was charged with opening this up to competition, which it duly did. At first, five selected companies tested a piece of software for sharing domain name data, called the Shared Registry System (SRS). This would prevent two companies from accidentally registering the same domain. Eight more companies followed this five, then another 40 or so, until today there are just under 120 companies running under this main directory system.

ICANN decided that in order to maintain a level of control over the system all these "registrars" would have to apply to it for affiliation. Each company could then act as a middleman to other companies which want to sell domains as part of a package to ordinary companies and individuals. The definitive directory (registry) would continue to be owned and run by Network Solutions, which would charge a flat fee per domain to keep the records up to date - currently $6 per domain and $6 every time it is transferred.

Becoming an ICANN-accredited registrar is not cheap. ICANN asks for a $2,500 application fee from each company, which, in the organisation's best tradition, is non-refundable. If accepted, there is an annual fee of $4,000 for the first top-level domain (TLD) you want to sell and an extra $500 for each additional TLD. There is also a variable fee, set by ICANN, to be paid every year. And a $10,000 licence fee for the (essential) software needed.

Most controversially however, registrars must also sign ICANN's Accreditation Agreement. To sell the domains, registrars have to be accredited by ICANN and have to pay the significant annual fees outlined above. Nevertheless, the contract writes ICANN out of any and all responsibility for any issues arising from the sale or resale of domains. It also removes ICANN from an assumed role of ultimate authority on domain issues. It does however retain the right to dismiss registrars.

This approach of non-accountable control has subsequently been copied by many of the ICANN-accredited registrars when dealing with their own registrars, resulting in the unenviable situation that when an error does occur, no one can be held to blame and no one can make a binding decision.

It was this system that caused Gary Kremen to lose the coveted domain Sex.com after a cock-up by registrar Network Solutions. He subsequently lost a court case to sue Network Solutions for its mistake but after five years in the courts and millions of dollars, finally managed to get the domain back last year from the person who had stolen it.

Determined to set a precedent however, Kremen has turned again on Network Solutions to force them to accept culpability. A few weeks ago (January 2003), the Court of Appeals referred the case to the California Supreme Court, which has yet to decide whether to take it. It will take a further year to decide even if it does.

The self-same problem happened with other high-profile domains including Internet.com and Races.com, and has happened with scores of other sites, each time with the same effect. Put simply, if something does go wrong with your domain, there is next to nothing you can do about it.

So where does the system fall down?

The problem lies in how ownership of domain names is moved about. With no authority at the top of the tree, if any of the ICANN-accredited registrars disagree over who actually owns a site, there is no right answer. ICANN has consistently said it is a matter between registrars, neither of whom want to give the domain away.

The rule of thumb is that whoever is listed in the definitive Internet directory (run by Network Solutions) as owning the domain, owns the domain. But then there have been cases where someone can prove they bought the domain earlier, only for the details to show someone else.

Worse than this, registrars have wrongly transferred thousands of domains to someone else because they have mistakenly accepted a spoofed email or fax as coming from the current owner. The fax/email requests the domain be signed over to Mr X and it duly is. The registrar refuses to accept liability when the error comes to light and the Internet directory shows Mr X as the legal owner. Sorry, there's nothing we can do, the man who owned the domain and has done nothing wrong is informed.

When there is a legitimate request for a domain to be transferred, there is also a risk of it falling into the wrong hands. In one case, a multi-million pound sale of ebusiness.com being was halted after punter Mahesh Rao somehow managed to register it mid-transfer. Only heavy legal threats got the domain returned.

The software linking the ICANN-accredited registrars together is not without faults. For example, Network Solutions will frequently show a domain as available to buy when it has already been bought by another registrar because its database is only updated every few hours. This has led to numerous multiple purchases of the same domain.

On top of this, there are several competing systems for the transfer of domains. If you want to transfer a domain from a company that works as a registrar for a particular ICANN-accredited registrar to another that also happens to be a registrar of that company, there should be little problem. Likewise if the registrar you are moving it to is under an ICANN-accredited registrar that shares the same system as the first company's ICANN-accredited registrar.

Otherwise, you can easily become stuck in limbo-land. And, of course, no one is responsible, no one is to blame and so it will most likely come down to you to persuade those concerned to complete the transaction. And this is almost always a matter of days or weeks instead of hours.

And then of course there are just good old-fashioned cock-ups when a registrar releases a domain onto the market by mistake. It will usually chase this up and regain control of the domain for you but don't count on it because, after all, it is not to blame.

Expired domains

However, by far the most common problem is with expired domains. The fundamental decision to make domains something that you only lease for a period of time rather than own outright was certainly a smart financial move for those that make up the Internet infrastructure. However it has also been the single most frustrating aspect of the Internet for millions of users.

As soon as a domain expires, it's in the lap of the Gods who will end up with it. The previous owner should have received an email informing them of the impending expiration, but sometimes the original registrar fails to send one. Why is a matter of some philosophical debate.

More likely though is that the contact details for the domain are out of date and the listed administrative contact is an email address that no longer exists - it could be the person has left or he has changed email address or it was a free email account that has been rescinded. Equally, the email could have be received but forgotten about until it was too late.

Once a domain expires, it is usually put on hold straight away. The registrar is the new owner at this point. The domain is then put in a queue for deletion, at which point it will be released back to the market and anyone will be able to purchase it.

How long the domain remains in that queue and hence how long you have either to wait for its release or to regain control of it, is entirely up to the registrar. And every one of the thousands of registrars has a different policy. Some have a grace period where the original owner can re-register it if they pay a penalty fee. Some do not. Some release the domain just three days after it expires while others will hold onto to the domain for weeks, months, even years if the previous owner upset the registrar (from this writer's own experience).

Some registrars release them after a certain time period, some every 30 days in batches, some whenever the number reaches a certain level. Some defy all logic. It doesn't matter because from this point, especially if the domain is a good one, all you can do is try to be the first to get it when it is finally released. But more of that in Part II.

So why is nothing being done?

If all of the above has happened, why hasn't anything be done about it? Well, it has. All the worst examples came from early 2000. And since most people register domains for two years and there wasn't a repeat of the domain cock-up season last year, we can only assume that the measures introduced worked.

However, while some new systems have been innovative, greatly improving the speed and ease of domain transfers and enhancing the security around domain ownership, there remains a no man's land between purchasing domains and using those domains, and a wasteground between different ICANN-accredited registrars.

Rather than tackle the problems at root cause, competing registrars have built their own fortresses. And in the continuing struggle for more profit, the faults of the system have been used by registrars to offer domain name owners new "services".

Sign up to the Platinum account and we will make sure we don't sell your domain to someone else without telling you. Purchase our new Security Deluxe for your domain and we'll make a phone call to check before signing over the rights to your company.

Increasingly under this mutated system, the more you pay, the smaller your chances of logging on one day to find your online auction site offering Dirty Teen Sluts. But go for your regular domain registration with no extra fries and decide not to supersize it, and, well, what do you expect? ®

Where the Hell is My website?
Part I: The nightmare and the US system
Part 2: The UK system and what ICANN should do to be more like it.
Part 3: A practical guide to making sure you keep hold of your domain.

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.