Domain Name Wire

Domain Name Wire

  • How The New York Times could have prevented yesterday’s attack for just $50

    1. BY - Aug 28, 2013
    2. Domain Registrars
    3. 8 Comments

    Adding Registry Lock service to a domain name prevents unauthorized name server changes.

    internet securityYesterday the nameservers for The New York Times’ NYTimes.com domain name were altered, allegedly by the Syrian Electronic Army, which led to some internet users not being able to access the company’s website.

    The New York Times could have easily prevented this from happening at a cost of under $50 a month. All it needed to do was add a product called Registry Lock to its domain name registration.

    As a bit of background, there are two parties that play a key role with .com domain names. One is the domain name registrar, such as GoDaddy or Melbourne IT. The other is Verisign, which manages the registry for .com domains.

    Domain name registrants don’t deal directly with Verisign. Registrants instead request changes to their domains through their domain name registrar.

    For example, if I want to change the nameservers for DomainNameWire.com to point to a different location, I can log in to my GoDaddy account and make the change. GoDaddy, in turn, automatically sends this information to Verisign to update its records.

    But what if your domain name registrar account is compromised?

    That’s what apparently happened in the case of NYTimes.com and its domain registrar Melbourne IT.

    And that’s where Registry Lock, which Verisign offers through domain name registrars, comes in to play. It prevents the registrar from making a nameserver change directly.

    If NYTimes.com had Registry Lock*, then when the perpetrators tried to change the nameservers it would have triggered a manual verification process between Melbourne IT and Verisign:

    Melbourne IT would send a request to Verisign. Verisign would then verify the request and require a verbal passphrase before removing Registry Lock and thus allowing the name server change.

    It’s not foolproof, but it’s pretty solid protection. Unless someone managed to use social engineering to trick a registrar employee (which can happen) or if there’s an “inside man” at the registrar or customer, it would be very difficult to make an unauthorized change.

    Patrick Kane, SVP for Naming and Directory Services at Verisign, describes Registry Lock as an “additional layer” of protection.

    “If a registrar has not done something, such as preventing a hack, they can rely on us as a backstop to prevent most of these types of attacks,” Kane told Domain Name Wire today.

    Registry Lock does not prevent someone from changing the registrant name or contact details for a .com domain name, since this information is managed solely at the domain registrar level. We saw this yesterday with Twitter. Twitter.com uses Registry Lock, so its nameservers weren’t compromised. However, the perpetrators did change the contact information for Twitter.com in whois.

    Normally, changing the contact information might be enough to enable someone to hijack the domain name and transfer it to a different registrar. But with Registry Lock on, domain names can’t be transferred to another registrar.

    Registries for other top level domain names, such as .biz and .eu, offer a similar service.

    Registry Lock is primarily offered by domain name registrars that focus on brand management and corporate customers, such as Mark Monitor.

    Verisign charges domain name registrars no more than $10 a month per domain for the service. Domain name registrars mark the price up from there, with some including it in a bundle of services. The mark up can be rather high because of the manual process involved, but Irish domain name registrar Blacknight told me it generally charges 30 euros per month for the service. I have inquired with Melbourne IT for its pricing.

    No matter the cost, it’s a small price for a company like The New York Times to pay to protect its online presence.

    *The New York Times has now added Registry Lock to NYTimes.com.

8 Comments
  • Andrew,thank you for educating me on the “registry lock ”
    I did not know Verisign is offering this service.

  • Does that only lock NS records? What about MX for example?

  • Are we heading towards an economy where basic security functions are charged ‘a la carte’? Anyone remembers the mess that existed prior to the use of locking and auth codes for domain transfers? ICANN needs to spend a good chunk of its cash reserves on establishing a better and safer experience for domain owners.

  • I can’t recall, but is that $10 a month per domain name or?

  • (A registrar here)

    Andrew, totally agree that this is an extra level of protection in one sense. But the entire idea of social engineering is to setup a situation to get by things like this.

    In the case of the above you could change the contact info on one day and then over time (not immediately) contact the registrar to change other info and finally make the change that is intended to get control. In that sense it’s possible that registry lock gives you a false sense of security.

    You are also not looking at the downside of registry lock. If there is a reason that you need to change dns quickly (say your dns provider has been compromised) then the fact that there is registry lock will delay that! See the problem here?

    Most security measures come with drawbacks.

Leave a Reply