Can ICANN Steal Your Domain?

By Blane Warrene
We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now

Larry Seltzer has penned a column on eWeek that raises some serious security hackles about the ICANN policy for domain transfers. I commented on this when the policy went into effect.

What is frightening about the story he reviews is that the rightful owners of had the registrar lock ON and the domain still transferred. So the policy becomes more dangerous if your domain registrar does not have a tight scheme of check and balances for reviewing domain requests.

This is not always easily done as domain registration in many cases passes through various parties to the ultimate registrar. The terms of service should absolutely be read for the registrar and also how they handle domain locking.

We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now
  • Some registrars are not competent enough about security and they are still accredited. One of my domains was stolen, and I made a lot of effort to get it back. Recent sale proves that it was worth the effort. And this happened before this recent change.
    If someone tries to steal your domain, you have to deny transfer to prevent it.
    Many people said icann is corrupt, but still I don’t see how icann could benefit from this ridiculous rule.

  • I do not necessarily think ICAN is corrupt. However, an organinzation that does some of the most potent policy making in a vacuum without substantial input globally from domain administrators and technical professionals is bound to make some very bad policy. This is one example.

  • I’ve never read so much dross in my life!

    There have always been hijacked domains!!!

    My belief is that there will be far fewer under the new system than the old system. The old system was a complete muddle with neither the gaining nor the losing registrar taking proper responsibility for validating the credentials of the party attempting the transfer. Doesn’t any remember how Netsol used to allow ‘fax transfers’ to be sent in, which didn’t need to be on company letterheads or have any proper authentication, just a signature?

    At least with the new rules valid government identification has to be produced for anyone wanting to use faxes to authorize a transfer.

    Looking at the eWeek story it says this ” In fact, according to this story in The Register, Panix had actually locked their domain at Dotster and Melbourne IT registered it anyway”

    A couple of points:
    1) You shouldn’t believe everything you read in the press, least of all in “The Register”. Alot of their domain ‘stories’ have been absolute laughable hogwash.
    2) A domain that is locked cannot be transferred, period. It is not like a gaining registrar can ignore a lock. That is not how the system works. If a name is locked, it cannot be transferred out. So my guess is that at the time of the transfer, the domain wasn’t actually locked.

    Isn’t it strange how one hijack story is trotted out to ‘prove’ that the new ICANN transfer system is wrong. Perhaps I should trot out all the hijack cases that happened previous to the change?

    Finally, why on earth do people use these individual cases to come to some amazing conclusion that “ICANN is corrupt”. I don’t see how one domain hijack proves anything, least of all that ICANN is corrupt.

  • Lee — the light will blaze very brightly on every move they make so long as the Internet community believes (rightly or wrongly) that ICANN either is not working in their best interests or makes crucial policy decisions without substantial public comment.

  • Adam

    The more you try to protect something the more people will try to break the walls down… You can steal someone identy in minutes… it can take days to steal a domain… ICANN isnt the trouble its having no checks at the domain managers (mine requires an email to be auth’ed before the request even goes into effect)