Sulit.com.ph security breach prompts renewed debate on dotPH monopoly

On Saturday, December 1, visitors of Sulit.com.ph, the country’s largest and most visited website, did not expect to be redirected to the classifieds site’s rival service, AyosDito.ph, when they entered the former’s URL in their browsers.

For several hours, Pinoy users could not get access to the Sulit website because of an apparent security breach in the site’s domain servers, which is being maintained by dotPH domains, the sole domain registry and registrar of all .ph domains in the world.

According to a later post on the Sulit website, someone was able to gain access to the site’s dotPH account and had successfully rerouted the address to another server.

“Sulit.com.ph became inaccessible to a number of our users starting from 1:00PM of Saturday, December 1, 2012,” RJ David, the managing director of Sulit.com.ph, said in a post. “The problem was due to our domain (sulit.com.ph) being pointed to another server.”

Domains serve as a website’s official address on the Internet. If a website is a house located in the vast space of the Web, its domain name serves as a tool that helps everyone find that specific house where they can get their needed information, carry out transactions, or communicate with others.

In the Philippines, dotPH Domains, Inc. is the sole authority that lists, maintains, and sells all of these Internet addresses. A breach in the system of dotPH, therefore, would mean an outsider could easily point a high-traffic address such as that of Sulit’s to another house, which could subsequently earn the unintended traffic.

The domain registry is owned by Joel Disini, an enterprising businessman who is the CEO of dotPH Domains, after the administration of the country code top-level domain (ccTLD) was assigned to him by the Internet Corporation for Assigned Names and Numbers (ICANN), the global authority on Internet domain names, in the early ’90′s.

A decades-long monopoly

Being the sole administrator of the .ph domain, therefore, gives Disini and his company monopoly of offering all .ph and .com.ph domains to interested users. With the absence of competition, dotPH was able to get away with pricing every domain they sell at around P1,500, when a normal .com or .net domain would normally cost below P1,000.

The lack of competition also acted as a disincentive for the dotPH registry to innovate and improve its services, which might have led to the Sulit.com.ph breach on Saturday, according to prominent technology blogger Abe Olandres, owner of Yugatech.com.

“I’ve already acceded to the fact that dotPH is really not reliable,” Olandres told InterAksyon.com in an interview. “They don’t do a lot of development from their end, because as a monopoly, they don’t need to exert a lot of effort to sell their product.”

Being the sole .ph domain seller in the world has actually led to some abuses, Olandres noted, which prompted many Internet stakeholders in the early 2000′s to seek government intervention to wrest control of the ccTLD from Disini.

Just recently, Olandres said dotPH raised the price of their domains for bulk buyers from as low as P800 to the current flat rate of P1,500.

Such monopolistic behavior has prompted groups such as the Philippine Domain Name Authority Convenors (PhilDAC) to petition the government to step in and gain control of the ccTLD, arguing that “the PH ccTLD is a public resource” and that the “state has a sovereign right over Internet-related public policy issues,” among others.

No other alternative

One of the proposals in 2004 was to break the dual registry-registrar function of dotPH domains and make it choose which role to take moving forward. A registry, according to Olandres, administers the database and domain name servers of ccTLDs, while registrars sell the domains themselves.

By breaking the duality, dotPH would lose majority of control over the domains and lose profit eventually, which is why such moves did not prosper many years back.

Recent events, however, stand to serve as a revival of the debate, as emerging Internet companies — and not just Sulit.com.ph — stand to get affected once similar breaches happen to their domains.

“Right now, there really is no alternative,” Olandres stressed. “At the end of the day, you still go back to dotPH [for your .ph domains].”

Sulit.com.ph, having anchored its brand on its domain, also has its hands tied to its original Internet address. “As of now, the brand value of Sulit.com.ph is already very big that we cannot just have it written off,” David explained. “We are looking at the possibility of a backup domain but we are also careful to lose our SEO ranking as it might be tagged as duplicate content by search engines.”

David estimates that the company lost an estimated P1.4 million in bringing the site back online alone. “This is just traffic and does not include the loss in brand value, reputation and potential loss of users who might never come back because of the incident,” he added.

A brewing change

Because Internet and e-Commerce companies are now emerging as potent economic forces in the country, industry veterans and stakeholders have once again revived talks of implementing change in the country’s ccTLD registry.

In the Facebook group Philippine Cyberview organized by local Internet pioneer Jim Ayson, members of the PhilDAC are once again pushing for the revival of the talks between Internet players, dotPH’s Joel Disini, and the government on how to best approach the current conundrum.

“The DOST-ICTO [is] thinking of calling an informal consultation on this, inviting dotPH, Sulit.com, and other interested parties in a friendly meeting to find out what happened and how can govt help address the issues in a collaborative way,” posted Al Alegre, a consultant at the government’s Information and Communications Technology Office (ICTO).

Bombim Cadiz, one of the proponents of PhilDAC, stressed a succinct point, however: “Disini will always be the owner/operator/proprietor of dotPH. It is his company. You can not take that away from him. However, dotPH doesn’t have to be the registry operator of the PH ccTLD.”

Emerging Internet start-ups are also wary of the issue, too, Ayson added. “The startup community is concerned that lousy PH domain service is bad for e-business. That’s a good way to approach it,” he added.

But for Sulit’s David, the only recourse in the interim is to pressure dotPH to improve its security measures. “The best remedy to this incident is to push dotPH to provide the level of service and security expected from a local domain registry,” he said. “This incident not only reflects on to Sulit.com.ph or to dotPH but to the entire local online industry and it casts a bad light for the potential investments to the growing technology start-up community here in the Philippines.”

Emil Avancena, dotPH Domains Inc. spokesperson, meanwhile told InterAksyon.com that they had already implemented increased security features to prevent such incidents from happening again in the future. “In the meantime, we’re putting added measures in place that will allow domain owners to lock their accounts so that changes to the DNS records cannot be done online,” Avancena said.

“The changes will only be made upon our receipt of written confirmation from the domain owner that the changes are in fact authorized,” he added.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: