Many important websites haven’t added Registry Lock to protect against hacks similar to what brought down NYTimes.com.
Last month domain name registrar Melbourne IT was compromised, resulting in the hack of NYTimes.com’s nameserver record.
The New York Times’ problem could have been prevented had the company paid a little extra for Verisign’s Registry Lock service. Registry Lock adds another layer of protection against unauthorized domain name transfers and nameserver updates.
With a typical cost of under $50 a month (Verisign charges $10; registrars add their own markup), Registry Lock is a nominal expense for big companies. Surprisingly, a lot of big sites don’t use it.
The raw numbers
The domain data pros at DomainTools routinely collect the “thin” whois data from Verisign for .com and .net domain names. The company collected status information between August 15 and August 27 for over 125 million domains, which roughly represents all of the domains in existence as of August 15. (Note that this was prior to the NYTimes.com hack and news about Registry Lock that came out afterward.)
Just 14,509 .com/.net domains contained some variation of Registry Lock at the time the data was collected.
…but those aren’t all paying customers
This number greatly overstates the number of domain owners that have paid to add the service to their valuable domain names. Many of the domain names included in the top line number were locked by the registry as a result of legal actions instead of at the customer’s request.
For example, the DomainTools data provided to DNW show that 1,614 domains at GoDaddy had Registry Lock during the collection period. Yet the registrar doesn’t even offer the product to customers.
A couple hundred of the company’s own domain names have Registry Lock. The rest of the GoDaddy domains showing Registry Lock are likely stuck in legal proceedings or seized by the government. For example, eCyclingOnline.com and Bike-Jersey.com, both seized by the U.S. Government earlier this year and registered at GoDaddy, now show Registry Lock.
This may explain why registrars BizCn.com, Xin Net Technology Corporation and HiChina are among the top five domain registrars in terms of Registry Locked domain names.
About 1 in 300 domains registered at BizCn.com are locked at the registry level. This includes seized domains FanJerseyShop.com and NHLClubhouse.com.
Top ten domain registrars in terms of total number of .com/.net domains locked by registry. At some registrars, many of these domains are locked for legal purposes, not because the customer paid for Verisign’s Registry Lock.
So far fewer then the 14,509 domains showing Registry Lock have turned it on for security purposes.
Many large sites don’t use Registry Lock
When you consider that only a small portion of the 14,509 sites with Registry Lock have asked for the service, there’s no doubt that relatively few companies have added the protection to their top domain names overall.
That’s even more apparent when you look at a list of the top websites.
Of the 1,000 largest .com/.net websites (Alexa), just 92 had Registry Lock turned on during the data collection period. Popular destinations such as Amazon.com, Microsoft’s Live.com, Tumblr.com, and Pinterest all lack Registry Lock. (In fact, Pinterest didn’t even have a registrar lock turned on. There are over 26 million websites without Registrar Lock, meaning it’s even easier to steal the domain names.) Amazon.com and Tumblr.com added Registry Lock after the NYTimes.com attack.
Why more sites don’t use Registry Lock
There are a few reasons there may be low adoption of Verisign’s Registry Lock: availability, knowledge, and potential drawbacks.
Rich Merdinger, Vice President of Domains at GoDaddy, told Domain Name Wire that it generally hasn’t considered Registry Lock an “appropriate fit for our primary customer segments”, but “since the recent compromise to NYTimes.com, we have heard from a few of our enterprise customers and are reviewing the advantages and disadvantages of offering a Registry Lock.”
One of those drawbacks, as Merdinger points out, is the inability to make quick changes to DNS if a domain has registry lock.
I suspect the biggest reason more large websites haven’t adopted Registry Lock is awareness. That awareness is growing in wake of the NYTimes.com hacking. I expect more domains to have Registry Lock the next time the numbers are run…and that won’t be because of government domain seizures.
Mickey says
Shame on NAME.COM that they do not offer such service, especially when their parent company eNOM does.
Dave Z says
AFAIK, there’s no requirement that registrars even offer Registry Lock in the first place. Maybe Name.com will offer that service at some point, depending on demand from their own customer base.
(Disclosure: I’m also a Name.com affiliate. I share what I know and let people decide for themselves whether or not the registrar fits them.)
Rama says
Enom does NOT have registry lock available when registering a domain
Marius says
Registry Lock does not prevent updates on DNS Zones, even with the Registry Lock nytimes.com would have gone offline….
The Registry Lock is only a part of the right solution!
Andrew Allemann says
Registry Lock prevents the nameservers from being changed. So NYTimes would not have gone offline because the hackers wouldn’t have been able to change the nameservers.
Marius says
you cannot change namesevers at the Registry while the LOCK is active, right.
But you can change any DNS Records in the Zone if the registrar also delivers DNS Services. The LOCK won’t help if someone changes your A-Records 😉
Andrew Allemann says
Right, but I don’t think NYTimes was using Melbourne IT’s DNS services.
Marius says
I also don’t know…
because twitter did not go offline my guess was this might have been the issue.
anyway a lot of registrars offer dns services from the same panel/account and this is a threat even if registry lock is activated.
it’s up to the registrars to take additional security measures I’d say.
Andrew Allemann says
Marius, Twitter had Registry Lock, which is precisely the reason the hackers weren’t able to divert the site 🙂
Marius says
ah ok, thanks 🙂
Peter says
Would love to see a 2015 article on this