Important online business? Add Registry Lock to your domain

Registry Lock is critical for important websites, and the cost is nominal compared to the protection it affords.

Last month I wrote about why companies with important websites — financial companies, large e-commerce sites, and other large businesses — should add Registry Lock to their domains. Registry Lock makes it much harder for bad actors to make any changes to a domain name, including changing the nameservers to point the domain to another website.

It’s been seven years since I talked to Verisign (NASDAQ: VRSN) about its Registry Lock product, so I reached out for an update.

Verisign informed me that 104 registrars are currently contracted to offer Registry Lock. The company does not disclose which registrars offer the product, but several registrar representatives commented on my last post that they offer it.

The registry charges registrars from $3.50 to $10.00 per month per domain, depending on volume. Registrars add a markup to this. The markup seems to have shrunk since the last time I investigated it; four registrars I found with public pricing information charge between $13-$25 per month per domain. Some registrars charge a setup fee or change fee, which makes sense given that setup and changes require manual action at the registrar. Hexonet publishes its fees and covered domains here.

GoDaddy does not offer Registry Lock to customers. Would it have helped in the recent case in which GoDaddy reps were duped into handing over access? We don’t know all of the details behind that attack. Still, one unique thing about Verisign’s Registry Lock is that only a few employees at Verisign and the registrar are authorized to allow changes on locked domains. This reduces the likelihood that some sort of attack can take place. In the worst-case scenario, Verisign would quickly become suspicious if multiple change requests were made in short order.

The company stated:

Verisign has multiple layers of security in place to protect Registry Lock. Requests to remove or alter a domain’s Registry Lock status can only be made by authorized employees at Verisign, by a small number of trusted and personal contacts at the registrar, and must be appropriately verified through the use of authentication codes.

Verisign urges companies to take additional precautions above and beyond Registry Lock, though:

Registry Lock was designed as an additional layer of protection over and above lock services offered by the registrar; the two should be used in conjunction, so as to cumulatively reduce a domain’s threat surface.

Sounds like good advice.

(Note: While researching registrars that offer Registry Lock, I encountered many different security and lock products. Make sure to ask the registrar if its service includes Registry Lock because many use vague terms for services that don’t offer the same protection level.)