Domain Name Wire | Domain Name News & Website Stuff

Domain Name Industry News and Website Stuff

Featured Domains

Afilias to offer Registry Lock service

by Services 3 Comments

28 more top level domains can be locked at the registry level.

Picture of lock on bars with the words "Registry Lock" above it in black letters on yellow background

Afilias is the latest domain name registry to offer a Registry Lock service for websites that need added protection against hijacking and nameserver changes.

Registry Lock is very different from locking a domain name at a registrar. A typical domain lock means a domain can’t be transferred to another registrar until it is unlocked in the registrar interface.

Registry Lock requires manual authentication with both the registrar and registry before changes can be made to a domain.

Different registries have different procedures, but Registry Lock usually requires a domain owner to request a change with the registrar and then the registrar completes a manual process with the registry to allow the change. Domain registrar Blacknight explains the process on its website.

It’s a necessary service for big websites, and would have saved the New York Times from having its nameservers hijacked in 2013.

As of 2013, .com registry Verisign charged $10 a month for its Registry Lock service. Registrars typically charge $300-$600 per year because of the manual work involved. I suspect registrars will charge a similar price for Afilas’ service, although brand protection registrars often bundle it with other services.

The Afilias service will be available for 28 top level domains.

.UK adds registry lock option

by Services 0 Comments

.UK domains can now get added protection against nameserver and domain hijacking.

Nominet.UK registry Nominet is now offering its own version of a registry lock service, dubbed “Domain Lock.”

Similar to Verisign’s Registry Lock service for .com domain names, Domain Lock requires manual intervention and authentication in order to change key details about a domain name. This authentication should prevent the type of attack that took down the New York Times website last year.

While targeted to high traffic websites, the service is available to any domain that ends in .uk.

Nominet charges registrars £6.25 per month for the service. That’s in line with the $10 Verisign charges for registry lock for .com domain names.

Retail customers should expect to pay much more. This type of service places extra demands on the registrar that can’t be automated easily. Given the setup and potential ongoing costs, I would expect registrants to pay registrars five to ten times Nominet’s fee.

6 of top 20 websites vulnerable to attack that took down NYTimes.com

by Domain Registrars 4 Comments

Amazon.com and Pinterest among those sites more vulnerable to unauthorized nameserver changes.

Yesterday I wrote about how NYTimes.com could have avoided its nameserver hijacking on Tuesday had it paid about $50 a month for a service called Registry Lock.

As the 55th most trafficked website (Quantcast), it seems like a small price to pay to avoid downtime.

But The New York Times, which has since added Registry Lock, is not the only large website that hasn’t taken the extra step of adding this product.

In analyzing the top twenty .com web sites as ranked by Quantcast, six of them don’t have Registry Lock added:

Amazon.com
Pinterest.com
Tumblr.com
Answers.com
Live.com
Ask.com

Pinterest.com seems to be even more vulnerable than the others, as it appears to not even have a registrar lock turned on.

Interestingly, Microsoft does have the added protection on Microsoft.com and Bing.com, but not Live.com.

It’s still possible that an attacker could defeat Registry Lock and change a domain’s nameserver, but it would be a lot more challenging than what happened to The New York Times this week. In fact, although the perpetrators changed whois information for Twitter.com, they weren’t able to change the nameservers because Registry Lock was turned on.

VeriSign Offers Tools to Secure Domain Names

by Services 4 Comments

Two tools from VeriSign help keep your domain names secure.

VeriSign two factor authenticationWith a couple recent high profile domain thefts, and the recent hijacking of Baidu’s nameserver settings, I reached out to VeriSign Chief Technology Officer Ken Silva to learn what VeriSign offers to help domain owners protect themselves.

“Over the next 12 months, we’re working so that from the time a person registers a domain name and creates an account to when it gets resolved, almost every single solitary aspect of the process will have the ability to be much more secure,” said Silva.

A number of protections are already offered to VeriSign’s registrar channel to help lock down domains.

VeriSign Registry Lock is a service that would have prevented the hijacking of Baidu.com’s nameservers.

“Once the domain is set and configured with its nameservers, it cannot be changed by anyone except the registry itself,” explained Silva.

Registry Lock essentially locks down the domain at the registry level. Anyone wishing to make a change that is controlled by the registry needs to go through their registrar, which in turn passes along verification to VeriSign.

Since VeriSign manages .net and .com, which use a “thin whois”, this basically means the name servers are protected. Information about the registered user is held only by the registrar, so VeriSign can’t directly protect a change to the registered user with this lock. Registry Lock is an ideal service for Fortune 500s and other companies that rarely need to change their name servers, but would be significantly affected by a hijacking. This service certainly would have saved CheckFree and Baidu a lot of money and public relations headaches.

VeriSign also offers two factor authentication, which enables registrars to more securely authenticate logins. Domain owners don’t have to worry about passwords getting compromised because a second authentication mechanism is used.

For example, Name.com offers a key fob with constantly changing security pins.

In another example, domain owners can download an iPhone app that is then registered with the service. Whenever a user logs in to his registrar account, the app will provide a one time pin or password for authentication. VeriSign already offers this service for non-domain web sites, such as PayPal.

Helping registrars offer services to protect registrants is a big part of VeriSign’s security push. But it also goes further as the company wants to protect the entire domain transaction — including visiting any .com web site. VeriSign is currently implementing DNSSEC. Look for it to be applied to .edu first, then rolled out to .net and .com.