Dot Triple X - ICANN’S Blunder

In the event you have been living in a cave, on the ICANN board approved the creation of a new sponsored Top Level Domain referred to as Dot Triple X. Web sites will soon start appearing that have a .xxx at the end (as opposed to say, .com or .net).

The main proponent of the sponsored TLD:

  • International Foundation for Online Responsibility

The main opponent of the sponsored TLD:

  • Free Speech Coalition

Whenever looking at a controversial issue, it is a good idea to look at the motives of the organizations behind the positions. Usually when an organization supports or opposes a controversial idea, they have an angle on it. That is not a bad thing, we all have our own angles on just about every issue. Looking at what those angles are however can help us come to an intelligent decision. I encourage you to do that research yourself. Please read what I have to say, but I encourage you to do your own homework as well.

In this article, I will frequently mention an organization called the Association of Sites Advocating Child Protection (ASACP) as an established technically better solution to many of the alleged needs Dot Triple X is trying to address. I would like to make it clear that I do not work for them, with them, speak for them, or represent their opinion. Last I saw, as an organization they were choosing to remain neutral, basically stating that to take a position on the Dot Triple X TLD was beyond the scope of their organization. That article is , but if they have an updated position I have not heard it.

 

How the Internet Works

Most people know very little about the web. Even many webmasters are clueless to many of the finer points of the Internet’s inner workings. Hell, even I have a tremendous amount I can still learn, and I am more knowledgeable than most about things web. I will try to be brief here. If you are familiar with what takes place when you connect to a web site, feel free to skip past it. It is important however that you understand this process to properly comprehend the Dot Triple X debate.

 

IP Addresses and Internet Protocol

The Internet is a plexus, er, I mean network of computers that communicate with each other. For computer A to talk to computer B, it has to know how to find computer B on the network. This is accomplished using something called Internet Protocol (IP).

Each connected device has an IP address. For version 4 of the Internet Protocol, an IP address looks something like 173.255.205.102. For version 6 of the Internet Protocol, it looks something like 2600:3c00::1b:5040.

Your computer sends its request in packets to its configured router. The router then looks up the IP address in a routing table to determine the next router along the line the packets should go to. Finally when everything goes according to plan, the packets sent by your computer end up at the computer with the correct corresponding IP address.

The problem with IP addresses is that they are not very human readable. Furthermore, the address associated with a specific computer may need to change from time to time (sometimes quite often.) To deal with this issue, we use domain names.

Just like phone numbers sometimes change but the name of the person rarely does, IP addresses of a web site sometimes change but the domain name generally remains the same.

 

Domain Name System

In a nutshell, a domain name is a computer host name that is used to identify what address on a network is associated with the host. Not all host names are domain names, and not all networks are IP networks (for example, AppleTalk is another type of network) but for the context of this discussion, a domain name is a name used as an index to find the IP address of another computer on an IP network.

Generally what happens is you request a resource from a particular domain name. Your network stack then looks up the IP address associated with that domain name by sending a request to a Name Server. Name servers play a critical role in the Domain Name System.

The Domain Name System is under the governorship of ICANN. They determine what Top Level Domains (aka TLDs) are used, and what registries can assign them. This is important to make sure that there is unique control over what IP address a domain name points to.

It is important to note that you can point a domain name to any IP address you want. If you control the domain name, you control what the name resolves to, and can even point it to IP addresses you have nothing to do with.

 

Connecting to a Web Site

When you type in a web site URL or click on a hyperlink, several things happens. First, your browser uses your operating systems network stack to ask for the IP address associated with the domain name part of the URL. The network stack then sends out a request to the name server it is configured to use. The name server gets the IP address either from its own cache, or by requesting the IP address from another name server. The IP address is then sent back to your networking stack, which gives the address to your browser.

Your web browser then sends a request using the HTTP Protocol which includes things like what types of content it can handle, cookies associated with the domain, what web site referred it, and what file it is asking for.

The web server then uses this information (or not) in determining how to answer the request and send the appropriate response. The first thing the web server sends are headers that give the browser information about the content being sent. This is important to this discussion, so I will repeat it. The HTTP protocol has a mechanism by which the server tells the client (your browser) information about the content it is sending. This mechanism is called HTTP Headers and by design they are sent before content is sent.

To see an example of what the headers look like when connecting to this page, see Headers sent by EroticaPlexus at the bottom of this page.

 

Dot Triple X - Bad Solution Without A Problem

Dot Triple X is a technically poor solution to a problem that does not even exist. What is it even trying to solve? On their homepage, IFFOR states “to primarily serve the needs of the global responsible online adult-entertainment community”. What are these needs and how does it solve them?

Prominently on their homepage (checked ) the IFFOR makes some claims about what the .xxx TLD is suppose to accomplish. To summarize three I would like to specifically address:

  • promote the development of responsible business practices and conduct within the online adult-entertainment community
  • protect the privacy and security of consenting adult consumers of online adult-entertainment goods and services
  • promote the development of business practices to safeguard children online and combat child abuse and child abuse images;

While those sound dandy, none of those are accomplished by the creation of an opt-in TLD and all can be accomplished without it.

While trying to find out what IFFOR meant by this, I found the following PDF file on their web site: IFFOR Baseline Policies.

 

Labeling of Content

All registrants in the sTLD must label their .xxx sites, and any site irrespective of top level domain to which such sites are automatically redirected, using an IFFOR approved label.

An automatic redirect usually involves an HTTP header, though it sometimes involves JavaScript. Clicking on a link that points to another domain is not an automatic redirect.

Thus all a .xxx site needs to do is have all hyperlinks on the site link to the .com version of the site, and they do not need to label the .com version of their site. The user may not even be aware that they have now loaded the .com version opposed to the .xxx version they initially went to. I actually like the spirit of this guideline, but it is unfortunately poorly worded so that it is basically ineffective at forcing content labeling.

I am not sure it is anyone’s place to mandate labeling anyway. Yes, I would like to see every single adult content site use RTA Label or an equivalent, but that does not mean it should be forced.

I also would like it clarified as to what type of labeling is required. The only type of labeling that is effective is an HTTP header or a meta tag within the (X)HTML document. I prefer to use a HTTP header as HTTP headers can be sent with any kind of content, including images, videos, PDF files, etc. but if we are discussing best practices, best practice would use the header but also include using the meta tag when possible so that the rating stays with the document if the document is archived or mirrored somewhere else.

A new sponsored TLD is not required to implement this best practice. The industry has largely already adopted the RTA Label and the label is recognized by virtually every content filter on the market.

Update - I visited my first .xxx web site today, www.desi.xxx. The site did not have any age verification for the index page, which had explicit content. The web site did not send any headers indicating adult content, nor did it have a meta tag in the HTML indicating adult content. I did not see any labeling mechanism whatsoever. Content filters would probably still catch the site (even on a .com TLD, but the web site did not appear to label itself in any way, shape, or form. The site looks like a writing site and not an image/video site, but the site had very explicit visual advertisements, and thus should have had some type of adult labeling. Explicit Screenshot.

Clearly having a .xxx TLD does not mean best practices are going to be embraced or followed, and IFFOR does not have the ability to enforce their policies.

 

Prohibition on Child Pornography

Child Pornography is already illegal. The scum bags who participate in it do so in underground circles and move stuff around.

There is something though about their Child Pornography policy that bothers me. They specify “Content Designed to Suggest the Presence of Child Pornography”. I assume they are jury on this. Here are two examples of page titles I have seen on web sites:

  • Young Lolitas
  • Tiny Boy Toys (it was a reference to small penis humiliation)

Both sites labeled their content using RTA Label (I believe ICRA as well). Both sites featured models that all appeared to be over 18 years of age, and had U.S.C. Title 18 § 2257 statements. Neither site was portraying any models as children.

Would they be in danger of violating the IFFOR policy? I do not know. Since the vast majority of the IFFOR board appears to have zero experience in the adult entertainment industry, the answer is anyone’s guess.

 

Consent to Monitoring

All registrants in the sTLD must agree to permit automated monitoring of their sites for compliance with IFFOR policies, including without limitation, IFFOR policies requiring site labeling, prohibiting child pornography, and prohibiting content or conduct designed to suggest the presence of child pornography. Registrants must agree not to employ technological or other means to defeat or prevent such monitoring.

Um, no. No. Hell no. There are major major major problems with this.

First of all, it will be impossible to enforce. Without control of the actual servers, there is no way in hell that IFFOR or anyone else can adequately use automated scanners (aka bots) to remotely monitor a web site for the purpose of ensuring compliance.

A large percentage of the adult industry makes its money off of site membership. If you are not a member of the site, very little content is available. In order to allow adequate automated remote monitoring of content within the member areas, these web sites will need to provide a mechanism by which the monitoring software can access membership data. As soon as they do that, they open themselves up to the possibility of regular joes spoofing the automated scanner and gaining access to free content. If the web sites do not open up their membership areas to automated scanning tools, then the automated scanning is pointless.

Secondly, automated scanners are easy to detect. They should identify themselves. Many web masters blacklist any automated bot that does not identify itself. It is bad practice to use an automated bot that does not identify itself. It will be extremely difficult however for IFFOR to demonstrate that a certain web site responds differently to their automated bot than it does to a horny user’s web browser.

This policy is just not realistic, and I will never use a .xxx TLD or allow one on a server I run because I will not allow an external party to determine how my server software responds to bots.

 

Registrant Disqualification

Registrants determined to be in violation of any other IFFOR Baseline Policies shall be notified in writing and given thirty days to come into compliance. The registration of any registrant failing to cure the identified violation shall be terminated. Registrants determined by ICM to have repeatedly violated the IFFOR Baseline Policies, any IFFOR Best Practices Guidelines, and/or ICM Registry Policies, may be disqualified from maintaining existing registrations in the sTLD or making future registrations in the sTLD.

Nutshell: If you use a .xxx TLD, your business is at the mercy of a third party without any legal recourse. It is a bad business move to use a .xxx TLD. If they determine you are violating one of their policies, you lose your most important asset, the domain your customers use to find you. Even if you agree with their current policies, policies change.

You might as well just stick your dick in a vice. Use .xxx and they p0wn you. Trying to sue them for damages or to have them reinstate your domain will be very costly and very well may fail. Avoid the problem, do not host your sites with .xxx domains.

 

Analysis

Some of the IFFOR Baseline Policies are valid “responsible business practices and conduct” for the adult content industry. However it does not appear to me that the adult content industry needs IFFOR to tell them what these best practices are. Many companies within the adult content industry already embrace them and are already directly addressing these issues through venues such as the Association of Sites Advocating Child Protection (ASACP) and voluntary adoption of the RTA Label.

Some of the IFFOR Baseline Policies however are down right scary. Subjecting oneself to them gives them too much power over the future of your business, power then can potentially abuse.

For adult content providers looking to be responsible members of the community at large, I personally highly recommend that you look to trade associations within the adult content industry that do not exist solely to serve a for profit business. Avoid the obvious conflict of interest.

One thing that really scares me is an article about IFFOR board member Fred H. Cate:

He says the Internet in general and sex-related entertainment in particular have long interested him as fields of study because of the constant need to develop laws and policies to keep up with the breakneck pace of technological advancement.

Why does this scare me? I fear the IFFOR is going to lobby lawmakers to try and force adult content providers into Dot Triple X adoption or levy sin taxes on those that do not move.

I really hope that is my paranoia, but putting people on their board who are already of the position that there is a constant need to develop laws and policies is a danger sign to this libertarian (I use the word libertarian loosely, I am not affiliated with the political party and never have been).

The IFFOR has stated they have no intention to try and make Dot Triple X adoption mandatory, but this is not my first barbecue.

There is another organization established in 1991 that does an excellent job at promoting the development of responsible business practices in the adult entertainment industry. It is called the Free Speech Coalition.

 

Privacy and Security of Consenting Adult Consumers

IFFOR and the ICM Registry LLC have this bizarre notion that .xxx domains will give consenting adult consumers of adult content a safer place to surf.

First of all, they do not understand how people find their porn. If I did not feel a need to get this published yesterday, I would do some homework and gather some sadistics, er, I mean statistics. From personal experience and conversations with other porn consumers, the top ways we find new porn sites:

  • Google Images
  • Google Web Search
  • Google Video
  • Rabbits Reviews
  • Twitter
  • Links from Existing Porn Sites
  • Links from Friends

The extension of the domain is the least of our concern, and .xxx is not going to change that.

But really, viruses and trojans and phishing is generally not a problem from well established porn sites. They tend to come from warez and piracy sites. Porn has gotten a bad rap as a source for viruses largely because a lot of porn content is pirated.

If you are being a cheap ass and trying to gain access to entertainment you have not paid for, you are not going to give a shit about the TLD it is coming from, are frequently using a P2P client, and you will be exposed to malware.

Dot Triple X will do absolutely nothing to stop piracy.

The claim is that the automated scans that ICM Registry subjects its clients to will make them safer web sites to use. They will not. While I have not hosted a porn site (I have done work for some, unfortunately just web work, no banging beautiful babes involved), web hosting and security is something I have some experience with. Here is the low down:

 

Trojan Files Served by the Web Server

When you download a file from the Internet that includes a trojan or virus, it usually means you are using a community file sharing service, the web server was hacked, or the web server is being run by a scum bag making money by inserting spyware into what is being shared.

Community file sharing services do not typically take place on porn sites. They just don’t. Usually they take place on P2P networks or newsgroups. There are some web sites that specialize in it, like rapidshare, but the bulk of it takes place over P2P.

When a web site has been hacked, if the web master needs a third party automated scan tool to alert him that his site has been compromised, he either learns fast or does not run servers for very long. Any competent web master will be aware of the problem before a remote third party scanner finds the malware.

When a web master is a scum bag, he would have to be a really sloppy scum bag to let the automated scanning tools catch him. The bots used for this purpose will not be difficult to identify with automated scripts on the server. You simply do not send the malware to the bot.

 

Cross Site Scripting (aka XSS)

This is a far more common danger that users who are not trying to get pirated content fall victim to while surfing web sites.

Cross Site Scripting attacks are where the attacker inserts code into a web site that is then executed by the users browser when the user visits the web site, resulting in the browser taking action that the user and web application did not intend.

Porn sites are not specific targets for this type of attack. Blogs, forums, and social networks (whether they are adult content or not) are targets for this type of attack.

Remote scanning of your web site is not proper preventative measure to avoid subjecting your users to XSS (and CSRF) attacks. Proper preventative measures:

  • Use prepared statements for any and all SQL queries that involve any user input
  • Sanitize any and all GET and POST variables
  • Use up to date server side filtration, such as HTML Purifier or CSP Filter
  • Serve your data as X(HT)ML to clients that accept it (most XSS relies upon broken HTML structure and will not work if data is sent as XML)
  • Make use of Mozilla’s Content Security Policy so that browsers who support it know the security context of the page and will not execute scripts/resources from sources outside the scope of the policy

None of those solutions require a .xxx TLD to implement, and a web site using a .xxx TLD is no guarantee than any of them are being implemented.

 

Intentional Malicious Scripts

We’ve all had it happen. Click on a link and suddenly a plethora of windows open, popunders, loud audio accompanied by poorly encoded video, popups that do not let us leave the site, etc.

This is a major problem with “ghetto” porn sites. Maybe the scanners will detect some of those, but it will not be difficult for the web masters of these type of sites to detect the scanners and better behave for them, and I honestly do not believe IFFOR will be able to determine that is happening.

These sites are usually reached via search engines anyway, and no one gives a shit about the TLD when the Google image search presents an erotic image they want to see.

 

Analysis

The bottom line, IFFOR automated scanning is not going to make surfing for porn safer for anyone. It may be the wet dream of IFFOR that people looking to get off will only surf sites ending with .xxx but it just is not going to happen. The automated scanners are just propaganda that I predict will have absolutely no real world benefit.

Porn is for adults. It is the responsibility of adults to make sure they have adequate protection for their system. In my ~20 years of surfing porn, I have never had my computer or data compromised as a result. A little precaution goes a long way.

 

Safeguard Children Online / Combat Child Abuse

A .xxx TLD will not protect children online. The mantra I keep hearing is that it will allow content filters to block adult content without needing to parse the content. For example, see The Chronicle article Law Professor Steps Up to Task of Making .xxx Web Sites Safe:

Another benefit is that parents and employers who want to limit access to pornography can block the entire domain.

That Law professor, Fred H. Cate, is on the IFFOR board. That statement makes it quite clear he has absolutely no business whatsoever on the board of an organization that wants oversight over Internet Technology. He is quite simply clueless.

The domain name is not the right place to do block content. The purpose of a domain name is to assist a computer in finding the IP address of another computer. The Domain Name System was not designed to aid in censorship, and quite frankly, it fails miserably when it it mis-used in that way.

Anyone can register a domain name and point it to any IP address they want. If the domain example.xxx points to the IP address 192.168.15.12 there is absolutely nothing that would prevent me from registering, say, funbananafurry.net and pointing that domain to the address 192.168.15.12 as well. Now to get around domain name based content filters, all I would have to do is point my browser to funbananafurry.net and I would likely get the same content served by example.xxx.

There does however exist a mechanism that adult webmasters can use that would trigger content filters regardless of what domain name (if any) was used to access the content. It is called an HTTP header.

One of the primary functions of an HTTP header is to give the requesting client information about the content that is being sent. Would it not make sense then to send an HTTP header that identifies adult content as adult content?

That way, content filters and proxy servers could block the content regardless of what actually is in the content, regardless of what domain name (or IP address) was used to access the content.

It would be cool if someone did that. Oh wait, someone does and any content filter worth a damn is triggered by it.

It is called RTA Label. It does not cost a dead dime to implement. You do not have to register your web site with anybody to implement it. You do not even have to be technically inclined to implement it.

It is simple, it is free, it is effective, and it is in wide use by members of the adult industry already and has been in use by members of the adult industry for years.

RTA Label is sponsored by the Association of Sites Advocating Child Protection. It was founded in 1996 with the specific purpose of promoting child safety and child protection, and its existence was never dependent upon a sponsored TLD or any for profit venture.

They have specifically worked with adult content providers for 15 years now without even the slightest hint of conflict of interest.

Compare that IFFOR. The only reason they exist is for the Dot Triple X sponsored TLD. They did not form to protect children from pornography, they formed to give a propaganda tool to the for profit registry ICM Registry LLC.

If you are an adult content provider who is truly interested in child safety, my opinion is your money is better spent by joining the ASACP then on a .xxx TLD.

If protecting children was really a goal of the IFFOR, they would be promoting RTA Label and the ASACP rather than attempting to duplicate what the ASACP already does.

I do not doubt that IFFOR cares about children, but I honestly believe they have an ulterior motive for pushing Dot Triple X (namely they would not exist without it) and are just using the “but think of the children” mantra as a propaganda tool to promote that commercial entity that they depend upon for their own survival.

With respect to combating child abuse, that will not be accomplished by any opt-in system for adult content providers. There are already laws against child abuse and child pornography and there is already a well established organization (ASACP) that exists specifically to protect children and works with the adult industry, not for them.

The spread of child pornography takes place in the underground. Whether an adult website chooses to be .com or .net or .info or .xxx or all of the above has absolutely no impact on child abuse or child pornography in the slightest. Quite frankly, I find it absurd that IFFOR suggests it does.

 

Impact of Dot Triple X

The actual long term impact of the .xxx TLD still remains to be seen. I do not think there will be a mass migration of adult web sites to Dot Triple X though there will be a mass registration of domain names simply so that existing companies can protect their names and avoid instances of other companies trying to grab the same domain names with a different TLD.

Surfing for pr0n will not be safer. Even in an imaginary world with unicorns and rainbows and talking teddy bears where any web site that uses a .xxx TLD is free from trojans, XSS attacks, and scam artists, no one pays attention to the TLD when surfing for porn. Web sites on the .xxx will link to partner sites on other TLDs and users will click links.

Porn is produced for adults, and adults should be expected to take precautions when connecting their computer to the Internet and seeing what is out there. Adults should be expected to be careful about what files they download. No amount of automated scanning of web sites will alleviate adults of the personal responsibility then need to take when connecting to the Internet. These precautions should be taken regardless of the type of content the adult is searching for, and that will always be the case.

The Dot Triple X TLD will not reduce instances of children accessing adult content on the Internet. It is the responsibility of parents to monitor their children’s on-line activities and when necessary, install content filters. Even installing content filters however does not alleviate the need for a parent to monitor the content their children are accessing on the Internet.

There will not be a reduction in the spread of child pornography as a result of the .xxx TLD. Child pornographers will continue to do what they do. It is disgusting and revolting and extremely damaging to the children they prey upon, but .xxx will not even put a dent in it.

The only thing I see .xxx accomplishing is an increase in wealth of the people at ICM Registry. They are going to make major bank off of this, and that in my opinion is the real motive behind the TLD. There is nothing wrong with people making money, but when the method used is to take it from people who worked hard to build their business and then have to fork over extortion level fees to protect their branding and avoid copycats, that I have a problem with.

 

Letter to IFFOR

Dear IFFOR,
The .xxx sTLD at this point is a done deal. I get that. There is no undoing it at this point. So how do things proceed?

You emphasize that children should be protected from adult content. I get that, I agree with that. However, you need to understand that adult content is not produced by children. I do not think you really get that, because you are clearly trying to treat the adult industry as children. Most people on your board seem to have very little if any experience with the adult content industry. I read each and every bio. One is a lawyer who has done legal work with the adult industry, and one is VP of business development for an adult company. Your board seems to be primarily made up of outsiders who think they have a right to dictate how things are to be done with little or no experience in the industry itself.

You insist that content providers who register domains subject themselves to your automated scans. You insist that they agree to consequences if they do not allow these scans. Ever hear the fucking term probable cause? It is OK for a parent to subject their child to searches and checkups and what not, but it is not OK for you to insist adult content providers subject their sites to your scans. Many adult web masters do in fact take the necessary steps to insure the security of their web sites. They lose money when they are hacked, they lose customers when customers get a virus. They do not need you to be their nanny, and what you require is both insulting and patronizing.

Your scans are not going to work anyway, they will have no impact on protecting the privacy of users or keeping viruses off of their machines. Furthermore there is absolutely no precedence for a registrar to require such scans in exchange for the right to a domain name. I do not believe I have ever even heard scans suggested for any other industry. This reveals that as an organization, you have a very low opinion of the adult entertainment industry.

The sTLD is done. However, you need to seriously check your attitude towards the industry that you claim you want to work with for mutual benefit.

Your policies suck and will be a leading reason why many legitimate adult content providers who do care about the things you wish to promote will have nothing to do with you.

Thank you for your time,

Alice Wonder

[Follow Me On Twitter] 
Headers sent by EroticaPlexus

When your web browser requested this page, headers very similar to the headers shown below were sent to your web browser before any content was sent.

alicewonder@jabberwocky:~$curl --head http://eroticaplexus.net/DotXXX

HTTP/1.1 200 OK

Date: Wed, 28 Sep 2011 22:50:04 GMT

Server: Apache/2.2.15 (CentOS)

Set-Cookie: DOMBLOGSESSION=hi7f8hq2gc7lan2hdtd7iucj95; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

X-Content-Security-Policy: allow 'none'; img-src 'self' *.photobucket.com; media-src 'self'; script-src 'self' scripts.domblogger.net; object-src 'self'; style-src 'self'

Rating: RTA-5042-1996-1400-1577-RTA

Connection: close

Content-Type: application/xhtml+xml; charset=utf-8

alicewonder@jabberwocky:~$

The two headers shown in red, specifically the X-Content-Security-Policy and the Rating headers, are of interest to this discussion.