It was designed specifically to prevent these kinds of attacks. You can design your own security procedure. "For instance, if a Custom Domain Protection client wants us to not change their DNS records unless 6 different individuals call us, in order, from a set of predefined phone numbers, each reading multiple unique pass codes, and telling us their favorite ice cream flavor, on a Tuesday that is also a full moon, we will enforce that. Literally."
As far as I can tell, they've never been pwned.
The rules for the customer don't matter much is it get hold of a company account which can make the right change.
Re. Cryptocurrency, I'd be really nervous implementing that in production. The current registers may not be perfect, but there's an escape hatch where things go wrong, you contact the right people and changes get reverted. With coin based DNS, the right hack may mean you lose access to your domain forever and there's no rollback possible.
GoDaddy has repeatedly fucked this up. Once, they renewed the cert, but didn't publish it to the logs of issued certs. So Chrome started rejecting the new cert. Hard downtime. It took almost 24 hours for them to issue the guidance to "just renew it again and hopefully it will work this time...we'll refund the first one". Crazy.
For what it's worth, you can log certificates. It's not common for issuers to even offer certificates that haven't already been logged, but some applications want that, and it's perfectly possible to do it, Google do it for some systems. The issuer has no special right to log certificates, broadly anybody can do it (big issuers have some agreement for volume performance, but you're probably only doing one or two by hand so who cares).
Major logs just have a public endpoint, you give them a certificate they give you back an SCT (the timestamped "proof" it was logged). The modern logs tend to have two constraints: The certificate must be from a CA they trust (in almost all cases that's going to be a similar list to the list Chrome uses) and it must expire in the right year because they've all sharded their backend systems by expiry date, this way all the 2019 expired certificates can get flushed away in 2020 rather than needing valuable always on-line storage forever.
Your HTTP server needs to actually give the SCT to the web browser (whereas if it was baked into the certificate that's not your problem) but you can configure popular servers to do that.
Stay far, far away from godaddy.
Note that the registry may only be available to do unlock procedures for limited hours, usually business hours in their locale; that might be inconvenient if it's not your locale.
My understanding is Cloudflare can do registry locks, but does not offer registrar services standalone. Corporate oriented registrars like CSC and MarkMonitor offer it. I don't have experience eith CSC, but MarkMonitor had a pretty high minimum spend (I think 10k/year) to get on their platform circa 2013; that may have changed, also they're now owner by a VC firm, just FYI.
NetworkSolutions (boo hiss), rolled out a registry lock feature after a high profile hijacking which was why my employer had me work with MarkMonitor.
1. configure my nameservers and whois info.
2. pay my bills.
3. prevent other people from taking over my domain.
I can see how AWS would give you more confidence in #3.
considering AWS is just reselling Gandi, I would love to hear how AWS (or any registrar) can be more reliable than another :)
Thankfully I only used that account for some retail purchases.
And if you can’t afford a few k a month for a dedicated support person for your infra, then you aren’t worth supporting - I.e. go to godaddy
The market kind of helps optimise this.
It's been around since 1998 and is a founder-owned company, and the founder wrote the book on managing mission-critical domains:
And they do offer registry lock (on a limited number of TLD's.)
Namecheap is bigger, so it's possible to get support people that aren't amazing. Porkbun is pretty small and I feel like there's less room for underperforming support staff when you have less than 10 of them.
Porkbun has an extra "domain password protection" option where you can require and extra password retrieving an auth code for domain transfer. I'm not sure how much use that is though. Once someone is into the account to the point they can change NS, the real world impact is similar to having the domain transferred away (and recovered).
I've had great experience with porkbun, and no major complaints with namecheap.
With those instructions, it doesn't look too hard. Without godaddy-specific instructions, I would have had a lot of trouble figuring it out. Unlock registration; get authcode; turn off whois privacy protection; accept transfer. Each done in a different screen.
I went to do that, to discover... this old domain, the oldest I have registered, has both an email and a phone number that I no longer have access to, and which GoDaddy wants to do 2-factor using one of them even though I do have my password. (The last 4 of the phone number I recognize as a landline I last had around 17 years ago, before I had a cell phone. I've had this domain for a while, from before I knew better than to use godaddy). They let me pay them renewal every year without me having to log into my account or notice I can't anymore, which I guess is better than stealing my domain becuase of it, but is also why I hadn't noticed for years I could not log into the account.
So I guess first step is figuring out how to get GoDaddy to give me access to the account again... it looks like that may necessarily involve some disruption/outage to my DNS which is in the old account I can't get access to. We'll see.
edit wait a second, they totally send me a renewal notice to email every year. They know my current email! They are insisting on sending a 2-factor code to a different email I no longer have access to. Wtf is that?
I recently got a notification that someone logged into my GoDaddy account. I angrily log in, knowing that I don't have any resources.
I'm greeted with a login log that shows "Android app" logging in every day for the past year, from multiple different countries. And my account required email confirmation (which must have been being by-passed on the Android app?)
It's bad. Don't use GoDaddy. While you're at it, you should really actually make backups and use a password manager too.
They double down on this by putting their “legal” team in Eastern Europe and make it seem like actioning their TOS against scammers puts them in a position of violating free speech (or something equally as stupid).
I wouldn’t be surprised if the majority of Namecheap’s income comes from domains registered for phishing scams. It’s that rampant and they just do not care.
I moved to, among others, Porkbun.
It's almost impossible to vet registrars or registries, as this information isn't easily available.
The easiest way to vet them is to call them and ask them what their policies are, then test them (for legal reasons, against your own test domains would be best...). See whether you can find documentation about their policies online. If you can't find them: potential red flag. If you can find them but it doesn't seem thorough/very secure: red flag. If they don't seem to deal with international customers: potential red flag. If they don't support TOTP or U2F, or you can't disable SMS validation: red flag. If their password policies suck: red flag (just create a free account and see what it lets you use). If they don't do both registry & registry lock for your TLD, or won't explain how the process works for that TLD: run away.
Often they may document their online process for doing things like registry lock. Call them up and say you are a potential customer and you want to know what you can do over the phone, then ask them what you need to provide in order to do each thing. They're not going to try to hide anything from you, so they may tell you if (for example) all they need to know is your full name, e-mail address, and what domain you want to unlock. They'll also tell you if they only send EPP codes over e-mail or their web interface, or if they have a way to record customer support requests (like a special verification code for phone support, select lists of people who can administrate the account, etc).
Of course, it's up to each customer service rep to actually follow the Registrar's rules. It just takes one lazy SOB to skip all the steps and just do whatever you ask to ruin everything. So you might also ask to talk to whomever manages the support reps and find out more about them, like how much training they receive and how much oversight is done over each support call. You'll probably have to settle for correspondence over a ticketing system.
Registries you'll probably have to e-mail for their rules, or ask a Registrar. Some registries can be unnecessarily cloak-and-dagger about their policies, but some registrars don't care and will tell you anyway. Personally, I would stay away from the Registries that require two weeks of paperwork just to change WHOIS information.
a) When you register the domain, you provide a public key.
b) The registrar will only ever redirect the domain if they receive a message signed with the corresponding private key.
There is a holding period if you stop paying for the domain, before it is released to the public again. You pay for the holding period in advance, when you do the initial registration.
This can be built today with existing technology.
Can someone please make this? Any feedback? Does this exist already?
Half the battle is for registrars to quit accepting the equivalent of cold calls from registrants. How hard is it to make a call back to the registrant when they're asking for NS, MX, etc. changes?
If the registrant phone number hasn't changed since registration, it's pretty safe to call them back and trust them IMO. If the registrant phone number was changed 5 days ago and someone is calling in asking for changes, that's an easy red flag and could be coupled with a technical restriction that requires escalation for important domain changes.
Another option similar to yours but easier would be to set a pin during registration and to require it for making over the phone domain changes. I guarantee those will get lost / forgotten by the average registrant though.
You'd be shocked at the number of small businesses that don't know where there domain is registered, who registered it, when it expires, etc..
If a domain is making money use a registry lock. If it's a high value domain making tons of money, pay MarkMonitor or similar to manage it.
I don't care. It's a niche service. There are at least tens of thousands of security-paranoid developers who would be a target market for this product. This is child's play for anyone involved in the blockchain space.
But still there're no guarantees that the registrar's own it infra is secure, or insiders with the wrong root access somewhere?
Namecoin was/is working on this. Another project is mentioned somewhere else in this thread (but it might be a scam, not sure).
I absolutely cringe at how easy it's always been for me, but I likewise think anything like you've described would be just end up with an awful lot of businesses locked out of their domains.
Also, foreign tech support, typically Eastern European. For all the expensive audits tech companies do on their appsec, all it takes is 1 disgruntled Ukrainian who says "fuck those Americans for playing a part in fucking up my country" (or more usually phishing or a bribe) and suddenly a few important domains are compromised.
I wonder if paying the premium to MarkMonitor prevents the risk of foreign and underpaid staff, but the domain industry is more like a commodity now and they hook you in with "cheap cheap cheap".
Also, the only thing crypto seems to be making the news for these days is when a company gets hacked. So much for that revolution.