Two tools from VeriSign help keep your domain names secure.
With a couple recent high profile domain thefts, and the recent hijacking of Baidu’s nameserver settings, I reached out to VeriSign Chief Technology Officer Ken Silva to learn what VeriSign offers to help domain owners protect themselves.
“Over the next 12 months, we’re working so that from the time a person registers a domain name and creates an account to when it gets resolved, almost every single solitary aspect of the process will have the ability to be much more secure,” said Silva.
A number of protections are already offered to VeriSign’s registrar channel to help lock down domains.
VeriSign Registry Lock is a service that would have prevented the hijacking of Baidu.com’s nameservers.
“Once the domain is set and configured with its nameservers, it cannot be changed by anyone except the registry itself,” explained Silva.
Registry Lock essentially locks down the domain at the registry level. Anyone wishing to make a change that is controlled by the registry needs to go through their registrar, which in turn passes along verification to VeriSign.
Since VeriSign manages .net and .com, which use a “thin whois”, this basically means the name servers are protected. Information about the registered user is held only by the registrar, so VeriSign can’t directly protect a change to the registered user with this lock. Registry Lock is an ideal service for Fortune 500s and other companies that rarely need to change their name servers, but would be significantly affected by a hijacking. This service certainly would have saved CheckFree and Baidu a lot of money and public relations headaches.
VeriSign also offers two factor authentication, which enables registrars to more securely authenticate logins. Domain owners don’t have to worry about passwords getting compromised because a second authentication mechanism is used.
For example, Name.com offers a key fob with constantly changing security pins.
In another example, domain owners can download an iPhone app that is then registered with the service. Whenever a user logs in to his registrar account, the app will provide a one time pin or password for authentication. VeriSign already offers this service for non-domain web sites, such as PayPal.
Helping registrars offer services to protect registrants is a big part of VeriSign’s security push. But it also goes further as the company wants to protect the entire domain transaction — including visiting any .com web site. VeriSign is currently implementing DNSSEC. Look for it to be applied to .edu first, then rolled out to .net and .com.