Domain administrators will have to confirm their data through the State Services infrastructure

It is planned to introduce a bill to the State Duma introducing mandatory confirmation of domain administrator data through the State Services infrastructure. Now companies and individuals managing domains in the .ru and .рф zones must provide documents upon request from the Internet registrar. The Coordination Center .RU/.РФ, which manages national domains, talks about the need for an exception for non-residents. But experts believe that this will negate the impact of the new norms, which a number of Kommersant’s interlocutors already consider ineffective.

Deputy Chairman of the State Duma Committee on Information Policy, IT and Communications Anton Gorelkin, during the conference “Domain .ru is 30 years old” on April 8, spoke about the preparation of a bill on regulating the process of administering domain names. The document will be submitted to the State Duma this year, the deputy specified: “Such an agreement has been reached with all the actors on whom it depends.”

According to Mr. Gorelkin, we are talking about “verifying those who register domain names through the Unified Identification and Authorization System” (USIA). A Kommersant source in a large Internet company claims that the regulation will affect only administrators of the Russian national zones .ru and .рф. The initiative is aimed at combating phishing sites, the deputy explained. Formally, the Anti-Phishing information system of the Ministry of Digital Development, launched in 2022, is intended for this, he admits: “But how to “fight” – for now we will block (domain.— “Kommersant”), the scammers will achieve the goal they were pursuing.”

The rules for registering domain names in .ru and .рф (these top-level domains are managed by the Coordination Center .RU/.РФ) already imply that the domain administrator must provide information about himself: in the case of individuals, this includes information about the document certifying identity, and with legal entities – TIN or similar identifier of a foreign state. But the administrator is obliged to send documents that confirm this data only at the request of the registrar. “In fact, no one checks the data, and it could be entered from stolen passport databases,” says Maxim Alexandrov, software product expert at the Security Code company.

The Ministry of Digital Development confirmed to Kommersant that the initiative is “being discussed with interested departments and industry.” However, Ru-Center General Director Andrey Kuzmichev claims that “in the current version” the bill has not yet been discussed with the market: “We are waiting for a dialogue, as was the case last year with the implementation of the hoster registry.” At the same time, he clarified that a basic description of the mechanism was presented to the .RU/.RF Coordination Center back in 2019, and Ru-Center “participated in the creation and debugging of a pilot test site for such identification.”

Questions regarding exceptions to the requirement to use the ESIA remain open, “there is a dialogue on them with the Ministry of Digital Development,” says Andrey Vorobyov, General Director of the Coordination Center .RU/.RF: “An exception for non-residents seems logical.”

However, the head of the information and analytical service of the OA “Information for All”, Evgeny Altovsky, believes that such an exception will actually open the way for attackers: “Nothing will prevent them, as now, from indicating false data of foreign persons, and when requesting confirmation, sending fictitious documents.” Currently, confirmation of the administrator’s data is carried out after domain registration; if it is necessary to confirm them through the Unified Identification of Authorities during the registration process, then “indicating the data of a foreign person will be a way to circumvent the requirement,” he added.

Alexander Bykov, head of security services at cloud provider Nubes, agrees that the new rules do not create problems for attackers: “They will use either “hijacked” Russian domains or foreign ones.” At the same time, Mr. Aleksandrov emphasizes that “the trust of a potential victim will be higher if the fraudulent site has the same domain ending as the real one.” Confirmation through the ESIA, in his opinion, “will make mass registration of domains in automatic mode almost impossible.” According to a Kommersant source in one of the Russian hosters, the meaning of the new norms is rather that the government needs to “systematize data on domain owners for further regulation.”

Yuri Litvinenko