Many important websites haven’t added Registry Lock to protect against hacks similar to what brought down NYTimes.com.
Last month domain name registrar Melbourne IT was compromised, resulting in the hack of NYTimes.com’s nameserver record.
The New York Times’ problem could have been prevented had the company paid a little extra for Verisign’s Registry Lock service. Registry Lock adds another layer of protection against unauthorized domain name transfers and nameserver updates.
With a typical cost of under $50 a month (Verisign charges $10; registrars add their own markup), Registry Lock is a nominal expense for big companies. Surprisingly, a lot of big sites don’t use it.
The raw numbers
The domain data pros at DomainTools routinely collect the “thin” whois data from Verisign for .com and .net domain names. The company collected status information between August 15 and August 27 for over 125 million domains, which roughly represents all of the domains in existence as of August 15. (Note that this was prior to the NYTimes.com hack and news about Registry Lock that came out afterward.)
Just 14,509 .com/.net domains contained some variation of Registry Lock at the time the data was collected.
…but those aren’t all paying customers
This number greatly overstates the number of domain owners that have paid to add the service to their valuable domain names. Many of the domain names included in the top line number were locked by the registry as a result of legal actions instead of at the customer’s request.
For example, the DomainTools data provided to DNW show that 1,614 domains at GoDaddy had Registry Lock during the collection period. Yet the registrar doesn’t even offer the product to customers.
A couple hundred of the company’s own domain names have Registry Lock. The rest of the GoDaddy domains showing Registry Lock are likely stuck in legal proceedings or seized by the government. For example, eCyclingOnline.com and Bike-Jersey.com, both seized by the U.S. Government earlier this year and registered at GoDaddy, now show Registry Lock.
This may explain why registrars BizCn.com, Xin Net Technology Corporation and HiChina are among the top five domain registrars in terms of Registry Locked domain names.
About 1 in 300 domains registered at BizCn.com are locked at the registry level. This includes seized domains FanJerseyShop.com and NHLClubhouse.com.
Top ten domain registrars in terms of total number of .com/.net domains locked by registry. At some registrars, many of these domains are locked for legal purposes, not because the customer paid for Verisign’s Registry Lock.
So far fewer then the 14,509 domains showing Registry Lock have turned it on for security purposes.
Many large sites don’t use Registry Lock
When you consider that only a small portion of the 14,509 sites with Registry Lock have asked for the service, there’s no doubt that relatively few companies have added the protection to their top domain names overall.
That’s even more apparent when you look at a list of the top websites.
Of the 1,000 largest .com/.net websites (Alexa), just 92 had Registry Lock turned on during the data collection period. Popular destinations such as Amazon.com, Microsoft’s Live.com, Tumblr.com, and Pinterest all lack Registry Lock. (In fact, Pinterest didn’t even have a registrar lock turned on. There are over 26 million websites without Registrar Lock, meaning it’s even easier to steal the domain names.) Amazon.com and Tumblr.com added Registry Lock after the NYTimes.com attack.
Why more sites don’t use Registry Lock
There are a few reasons there may be low adoption of Verisign’s Registry Lock: availability, knowledge, and potential drawbacks.
Rich Merdinger, Vice President of Domains at GoDaddy, told Domain Name Wire that it generally hasn’t considered Registry Lock an “appropriate fit for our primary customer segments”, but “since the recent compromise to NYTimes.com, we have heard from a few of our enterprise customers and are reviewing the advantages and disadvantages of offering a Registry Lock.”
One of those drawbacks, as Merdinger points out, is the inability to make quick changes to DNS if a domain has registry lock.
I suspect the biggest reason more large websites haven’t adopted Registry Lock is awareness. That awareness is growing in wake of the NYTimes.com hacking. I expect more domains to have Registry Lock the next time the numbers are run…and that won’t be because of government domain seizures.