Skip to main content

Transparency of Security Efforts in ICANN

Security vulnerabilities in systems are an unfortunate fact of life. The Engineering and Information Technology team in the ICANN org is working hard on many fronts to protect and enhance the security of our systems. From time to time events occur that result in specific and focused security-related activity that can impact the ICANN org and/or community. Because of our commitment to openness and transparency, we are disclosing the following two events to the community. To our current knowledge, neither of these incidents resulted in any compromise of ICANN data.

Intermedia Email Services Issue

The ICANN org outsources email services to a cloud services provider, Intermedia. On 21 August 2017, the ICANN org Information Technology (ICANN IT) department discovered an issue with the client administrative control console for Intermedia-hosted email services. ICANN IT immediately notified Intermedia, conducted a thorough investigation of the issue, and determined that no breach of ICANN Board, org, or community data had occurred as a result of this issue. On 22 August 2017, Intermedia, following its own rapid incident response process, applied remediation.

Apache Struts Jakarta Multipart Parser Vulnerability

On 18 September 2017, the ICANN org conducted a review of internally managed ICANN services and after a preliminary evaluation, found none to be affected by the Apache Struts Vulnerability (CVE-2017-5638). We also initiated a process to contact our externally managed service providers to obtain their assessments of the impact of this issue. We have currently received reports that 16 services are unaffected, and are awaiting responses from our vendors regarding the remaining services.

In light of these two disclosures, we have identified the need to formalize our procedures for appropriately disclosing events like these in the future. We have begun the work of defining this process. When that effort is complete, we will communicate the new transparency guidelines to the community.

If you have any questions or feedback, please email me directly: terry.manderson@icann.org

Comments

    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."