[gnso-rpm-wg] Possible Technical Bug in URS implementations

George Kirikos icann at leap.com
Mon Jun 4 22:54:39 UTC 2018


The first URS case involving a .app domain was decided (in favour of
the complainant), for bcg.app.

http://www.adrforum.com/domaindecisions/1785973D.htm

As I predicted earlier in this thread, the technical bug is evident,
as there's no HTTPS page for bcg.app, i.e.

https://bcg.app/

doesn't serve up the suspension page. If one attempts to load the HTTP
version of the page VIA AN OLDER BROWSER (i.e. one that doesn't
observe the HSTS preload list), one can see the standard suspension
page at:

http://bcg.app/

However, for a modern browser (e.g. the latest version of Chrome) that
is enforcing the HSTS preload list which doesn't permit non-HTTPS
pages for .app, the suspension page isn't loading.

The need for either a better policy (one that more clearly requires
both HTTPS and HTTP versions of the suspension page) and/or better
implementation by the URS providers, is evident.

Sincerely,

George Kirikos
416-588-0269
http://www.leap.com/


On Wed, May 23, 2018 at 3:17 PM, George Kirikos <icann at leap.com> wrote:
> Just to followup, according to the search tool at NAF:
>
> http://www.adrforum.com/SearchDecisions
>
> there are several URS disputes in progress for .app domains, including:
>
> bcg.app
> skx.app
> oliverwyman.app
> skechers.app
>
> We should know relatively soon whether the suspension pages for these
> domains (if decided in favour of the complainants) are served via
> HTTPS, to be compatible with the HSTS preload setting that Google has
> applied to the entire .app TLD.
>
> Sincerely,
>
> George Kirikos
> 416-588-0269
> http://www.leap.com/
>
>
>
> On Thu, May 17, 2018 at 8:31 AM, George Kirikos <icann at leap.com> wrote:
>> Six days and no replies.....I'll just post the issue here, in the
>> hopes it gets to the right people (and to highlight the policy issue).
>>
>> As members of this PDP are aware, after a complainant wins a URS
>> dispute, the URS provider is supposed to create a suspension page for
>> the domain name. For example, at 2 of the 3 URS providers (the 3rd
>> doesn't seem to have any active suspensions at the moment):
>>
>> MFSD: http://reima.top
>> NAF: http://wikipedia.kim
>>
>> However, Google recently launched .app, which has a unique feature,
>> namely that the entire TLD is on the HSTS preload list:
>>
>> https://get.app
>>
>> "The .app top-level domain is included on the HSTS preload list,
>> making HTTPS required on all connections to .app websites — no
>> individual HSTS registration or configuration required."
>>
>> This means that unless the URS providers launch HTTPS versions of
>> their suspension pages, the HTTP version won't be accessible for .app
>> domains. Given the relatively high number of .app domains that were
>> registered already, one would expect .app URS complaints to be
>> forthcoming.
>>
>> One can easily check that the 2 URS providers don't appear to be
>> serving HTTPS versions of their suspension pages at present, see:
>>
>> MFSD: https://reima.top (clicking through the SSL warnings takes ones
>> to a MFSD page)
>> NAF: https://wikipedia.kim (connection refused; presumably their
>> webserver isn't listening at that port)
>>
>> As for ICANN policy, the URS Technical Requirements at:
>>
>> http://newgtlds.icann.org/en/applicants/urs/tech-requirements-17oct13-en.pdf
>>
>> merely say, on page 1:
>>
>> "A URS Suspended domain name will be redirected to a webpage that
>> mentions that the domain name has been suspended because of a URS
>> Complaint."
>>
>> It didn't specify whether the "webpage" should be delivered via HTTP,
>> or HTTPS, or both. A clearer set of requirements here would have
>> avoided the issue.
>>
>> There are likely still a few weeks before the first .app URS complaint
>> is decided, so sufficient time for a fix. I figure this issue can be
>> solved for under $20/month, for those who know what they're doing
>> technically.
>>
>> By the way, the implementation of suspension pages seems to differ
>> across providers. e.g. NAF wildcards (*.example.com) the subdomains,
>> so that:
>>
>> http://gjkhjhg.wikipedia.kim
>> http://anything.wikipedia.kim
>>
>> deliver the page. MFSD only handles the "www" subdomain (and the naked
>> domain itself). Neither of the 2 handle "internal" pages beyond the
>> "home" page, e.g.
>>
>> http://wikipedia.kim/lalala --- 404 error
>> http://reima.top/lalala -- 404 error
>>
>> With minor configuration changes, those URLs currently serving up a
>> 404 error could instead serve the suspension notice.
>>
>> Sincerely,
>>
>> George Kirikos
>> 416-588-0269
>> http://www.leap.com/
>>
>>
>> On Fri, May 11, 2018 at 10:49 PM, George Kirikos <icann at leap.com> wrote:
>>> Hi folks,
>>>
>>> I believe I've uncovered a technical bug in the URS implementation.
>>> Does anyone here know the best method to report it? It might require a
>>> policy change (due to the ambiguity of the policy's requirements on
>>> providers) or updated documentation, as well as implementation changes
>>> by providers, in order to fix it.
>>>
>>> The bug isn't manifesting itself at the moment, but is almost certain
>>> to be visible to others in a short time.
>>>
>>> Sincerely,
>>>
>>> George Kirikos
>>> 416-588-0269
>>> http://www.leap.com/


More information about the gnso-rpm-wg mailing list