Home / Blogs

Domain Name Registries Must Do More to Protect Highly-Trafficked Domains

Elisa Cooper

With the recent attacks against high-profile New Zealand domain names including Coca-Cola.co.nz and F-Secure.co.nz, fingers are naturally pointing to Domainz, the registrar of record for these domains, as the party responsible for this lapse in security. While domain name registrars certainly need to ensure the security and stability of their systems, domain name registries must also step up and take responsibility for mitigating risks posed by hackers.

Many of the world's largest registries subscribe to EPP (Extensible Provisioning Protocol) which is a flexible protocol that enables communication between domain name registrars and domain name registries for transferring, registering, renewing and managing domain names. Other registries provide proprietary methods of automated communication for the management of domain names. Hackers have now recognized that if the internal networks of domain name registrars are compromised, that these protocols can be used to easily update domains names and redirect website traffic to any site.

Some registries have recognized the risks posed to highly trafficked sites by hackers, disgruntled employees and even erroneous changes, and have implemented a new level of security which prohibits changes to specified domains; unless a manual protocol is first completed by the registrar.

Clearly the risks posed by hackers to highly-trafficked sites will only continue to grow now that these vulnerabilities have been identified. Domain name registries and domain name registrars need to work together to identify methods for improving the security of all domain names, and especially those garnering significant traffic.

By Elisa Cooper, SVP Marketing and Policy at Brandsight, Inc.
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

While I can understand where you're coming Michele Neylon  –  Apr 24, 2009 5:30 PM PDT

While I can understand where you're coming from, I'd have to take issue with the idea of registries singling out specific domains for special treatment.
Improving security across the board would be a good thing, but singling out specific domains would be highly problematic

Should registrars really be the first to throw stones? Jay Daley  –  Apr 25, 2009 5:13 PM PDT

I should declare at the outset I am the CEO of the .nz registry, at whom your comments were aimed.

You have some interesting logic here - "a registrar is compromised therefore the registry should have done more to limit the effect of such a compromise".

Let's just work through the implications of that.  Yes we registries could introduce a manual process for the registrar to follow on specified domains (presumably specified by the registrar).  This manual process is likely to cost around 10 to 20 times the annual cost of the domain, because registry costs are all built around a high degree of automation.

So we now we would have a two tier market where the registrants that can afford to pay a lot more get much better protection.

Let's suppose some of the less well off registrants aren't happy with that and start to kick up a fuss.  They want the same level of protection but without the exorbitant cost.  Something the consumer protection regulators are likely to sympathise with strongly.  What's more, these registrants point out that you can have an automated process which achieves the same result at a fraction of the cost.  One where the registry emails the registrant directly to ask them to unlock a domain or accept a specific change. 

Do registries reply "no, we only work through registrars and so the two tier system is the best we can do"?  Or do we fundamentally change the relationships between registry -> registrar -> registrant?

Or perhaps registrars should raise their game by being transparent on their internal controls, publishing their security audits, developing an industry certification scheme and so on, rather than expecting registries to protect them from themselves?  And perhaps registries and regulators should begin to insist on some of that?

JayExcellent comment which sums up a lot Michele Neylon  –  Apr 26, 2009 2:52 PM PDT

Jay
Excellent comment which sums up a lot of the issues that I perceived.
I posted a followup over here:
MarkMonitor vs NZ

Michele

I'm not sure that the registries have Jeremy Hitchcock  –  Apr 26, 2009 2:39 PM PDT

I'm not sure that the registries have any place to enforce better controls.  I think that your manual process which a registrar would have to complete is also a mechanism that a would be hacker may bypass.  Already, BGP-hijacking allows for one to bypass one part of the security mechanism that registries use (IP ACLs).  Registrants may want to look for better authentication mechanisms.

Since registrars are the ones that are effectively the end-user to registry connection through the registrar than you are ultimately suggesting that the end-user have some contact with the registry.  A better way is that registrants are recognizing that registrars can be different based on their security practices and for registrars to innovate.

Response to Comments Elisa Cooper  –  Apr 27, 2009 10:25 AM PDT

Thanks to all for taking the time to review and comment on this post.

First of all, let me be very clear, that I am in no way suggesting that registrars are not responsible for the security of domains under their management.

I am simply stating that there are additional measures that registries could also employ to ensure the security of valuable domains, such as setting domains to a Registry Lock status, to prohibit updates by any third party.

Yes, additional costs might be incurred for the management of this domain status. Given the value of corporate websites, I would think that this is a cost for which owners of highly-trafficked websites would pay, even though changes to highly trafficked sites are not particularly common.

Some of the world's largest websites are already employing this added level of security. As the demand for this type of security increases, I suspect that we will hear more about it.

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

New TLDs

Sponsored byAfilias