As you know, the ICANN organization took down its Adobe Connect service midway through the ICANN61 meeting in response to reported issues with this service. Concurrently, we began to conduct our own forensic analysis of the reported incident and began working with our Adobe cloud service provider, CoSo Cloud LLC, and through them with Adobe to learn more. Shortly thereafter, we rolled out instances of Zoom and WebEx for the community to support remote participation (RP) and collaboration. Here's where we are now:
The Forensics Investigation
With respect to our forensics work, we received application logfiles from CoSo Cloud, going back for a period of one year. ICANN Engineering and Security teams have examined these application log files and the results of our investigation clearly show "fingerprints of incursion" by the researcher who reported the issue. We were unable to find any other indication that anyone else either identified or exploited this issue. Thanks to the person who found the bug again.
Working closely with CoSo Cloud, we were able to recreate the reported issue, and understand the conditions required to trigger it. This information has been communicated to Adobe, and Adobe is working on a software fix to address the root cause of the issue.
We have also been working with CoSo on options to re-enable Adobe Connect in the shorter term. We have determined there are two viable paths to accomplish this goal. They are:
- Deploy a hardened configuration to eliminate "man-in-the-middle" exploitations by encrypting relevant traffic, or
- Implement a programmatic fix from CoSo Cloud to substantially reduce the window during which the issue can be exploited.
With respect to the first option, we attempted to hack the hardened configuration in a test environment last week, and were not able to do so over the course of 7 hours. Separately, CoSo Cloud and Adobe conducted similar tests and confirmed that this configuration is protected from exploitation of the issue.
Community Feedback and Next Steps
For the last three weeks, we have been gathering limited feedback regarding users' experiences with WebEx and Zoom. So far, we have input from about 200 people, including ICANN org meeting organizers and the ICANN community. Our analysis of this feedback indicates a desire to revert back to an Adobe Connect, providing the security of the service is ensured.
Accordingly, we would like to propose the following plan to the broader community for consideration:
- We would like to restore Adobe Connect services with both the new hardened configuration and the programmatic fix discussed above. Our intent would be to restore service by 3 May. This would allow us to use Adobe Connect during several upcoming events including the Board Workshop, the GDD Industry Summit, and ICANN62.
- Once Adobe releases a new version of the software with a fix for this issue from their perspective, and provides assurance the update has been adequately tested, we will move toward that release of Adobe Connect in a prudent manner, with the help of CoSo Cloud.
We believe that this approach will ensure the security of our content, and of our community interactions, while also enabling our community to use the collaboration tools of their choice.
Before we make these changes, we want to hear from you. What do you think? Please submit your thoughts on this contemplated move before May 2nd here: RP-tool@icann.org
Meanwhile, we will continue to offer WebEx and Zoom for RP and collaboration purposes. We will also continue to follow industry developments, including the research ALAC is doing on the RP and collaboration space, to ensure we are using secure and cost-effective tools that are appropriate for our needs.
I look forward to your comments!
