I'm pretty intrigued by the cryptocurrency-based DNS alternatives that get kicked around in discussions like this. But if you need a way to mitigate this threat for your business today, I'd recommend Cloudflare's Enterprise Registrar.
It was designed specifically to prevent these kinds of attacks. You can design your own security procedure. "For instance, if a Custom Domain Protection client wants us to not change their DNS records unless 6 different individuals call us, in order, from a set of predefined phone numbers, each reading multiple unique pass codes, and telling us their favorite ice cream flavor, on a Tuesday that is also a full moon, we will enforce that. Literally."
But this is only a procedure for the customer. We'd hope that their employees have internal rules that are just as strict for interacting with internal IT, but can't be sure.
The rules for the customer don't matter much is it get hold of a company account which can make the right change.
Re. Cryptocurrency, I'd be really nervous implementing that in production. The current registers may not be perfect, but there's an escape hatch where things go wrong, you contact the right people and changes get reverted. With coin based DNS, the right hack may mean you lose access to your domain forever and there's no rollback possible.
Yup. If you're running something this critically important on your domain (i.e. pretty much any business doing 7 figure revenue or more), it'd really behoove you to switch to a registrar that supports registry lock on your domain. Then you're protected by the procedures at two unrelated business entities.
As an old dinosaur who ended up becoming involved in the blockchain space, this doesn't surprise me at all. I suspect this is a generalizable pattern: a new industry is created and very little of the experience learned in older industries is transferred.
I have the misfortune of being forced to use GoDaddy for a certificate. For reasons I won't go into Let's Encrypt isn't an option. The certificates that Cloudflare provisions (even when not using their universal SSL feature) are issued by a CA which isn't supported by all versions of Apple Podcasts. GoDaddy was the only viable option.
GoDaddy has repeatedly fucked this up. Once, they renewed the cert, but didn't publish it to the logs of issued certs. So Chrome started rejecting the new cert. Hard downtime. It took almost 24 hours for them to issue the guidance to "just renew it again and hopefully it will work this time...we'll refund the first one". Crazy.
If you have evidence they didn't log it to CT, that's a miss-issuance and reporting it to the root programs (via the Mozilla list) will trigger an investigation that will be taken very seriously.
> Once, they renewed the cert, but didn't publish it to the logs of issued certs.
For what it's worth, you can log certificates. It's not common for issuers to even offer certificates that haven't already been logged, but some applications want that, and it's perfectly possible to do it, Google do it for some systems. The issuer has no special right to log certificates, broadly anybody can do it (big issuers have some agreement for volume performance, but you're probably only doing one or two by hand so who cares).
Major logs just have a public endpoint, you give them a certificate they give you back an SCT (the timestamped "proof" it was logged). The modern logs tend to have two constraints: The certificate must be from a CA they trust (in almost all cases that's going to be a similar list to the list Chrome uses) and it must expire in the right year because they've all sharded their backend systems by expiry date, this way all the 2019 expired certificates can get flushed away in 2020 rather than needing valuable always on-line storage forever.
Your HTTP server needs to actually give the SCT to the web browser (whereas if it was baked into the certificate that's not your problem) but you can configure popular servers to do that.
I think there are good reasons to avoid GoDaddy, but do HN-ers feel like there are registrars whose employees would never fall for social engineering techniques, or whose systems and/or processes make such a scenario far less likely?
If it's really important, you need a registrar and a registry with a Registry Lock program. With this in place, when you want to make a change, you notify the registrar, who notifies the registry, who carries out the authentication procedure and, if successful, allows the domain to be changed, then relocks.
Note that the registry may only be available to do unlock procedures for limited hours, usually business hours in their locale; that might be inconvenient if it's not your locale.
My understanding is Cloudflare can do registry locks, but does not offer registrar services standalone. Corporate oriented registrars like CSC and MarkMonitor offer it. I don't have experience eith CSC, but MarkMonitor had a pretty high minimum spend (I think 10k/year) to get on their platform circa 2013; that may have changed, also they're now owner by a VC firm, just FYI.
NetworkSolutions (boo hiss), rolled out a registry lock feature after a high profile hijacking which was why my employer had me work with MarkMonitor.
Companies with better established security infrastructure like AWS and Google make for better registrars in my opinion. They're not perfect, for example with Google you might lose your domains due to a youtube infraction. Actually, now that I think about it strike Google from the list, just AWS really.
I would love to use AWS's registrar exclusively for anything I host there, but unfortunately they have a pretty limited selection of TLDs. it's more important to me that all my domains are in one place so I can review them at once. I really wish they would support more.
it should be noted that GoDaddy also own quite a few other registrars e.g. Host Europe Group who own 123-reg, Heart Internet, Host Europe, Webfusion, RedCoruna, Mesh Digital and Domainbox
Nearlyfreespeech is more of a host than a registrar, but I feel they generally have really good practices and procedures areound security. I certainly trust them more than Godaddy. That said, they don't support a lot of .wacky suffixes other registrars might.
Namecheap is bigger, so it's possible to get support people that aren't amazing. Porkbun is pretty small and I feel like there's less room for underperforming support staff when you have less than 10 of them.
Porkbun has an extra "domain password protection" option where you can require and extra password retrieving an auth code for domain transfer. I'm not sure how much use that is though. Once someone is into the account to the point they can change NS, the real world impact is similar to having the domain transferred away (and recovered).
Instead of compromizing cryptocurrency services, they support paying for their services in cryptocurrency. That's arguably a better strategy for engaging with the target audience of crypto enthusiasts ;)
I'm not very confident about Namecheap, given how long it took them to add 2FA. It seems to me that if they cared about security they wouldn't have waited literally years to do it.
I really gotta get a personal domain registration off of GoDaddy, but everytime I consider figuring out how to do that, I get exhausted. As is the intent.
With those instructions, it doesn't look too hard. Without godaddy-specific instructions, I would have had a lot of trouble figuring it out. Unlock registration; get authcode; turn off whois privacy protection; accept transfer. Each done in a different screen.
I went to do that, to discover... this old domain, the oldest I have registered, has both an email and a phone number that I no longer have access to, and which GoDaddy wants to do 2-factor using one of them even though I do have my password. (The last 4 of the phone number I recognize as a landline I last had around 17 years ago, before I had a cell phone. I've had this domain for a while, from before I knew better than to use godaddy). They let me pay them renewal every year without me having to log into my account or notice I can't anymore, which I guess is better than stealing my domain becuase of it, but is also why I hadn't noticed for years I could not log into the account.
So I guess first step is figuring out how to get GoDaddy to give me access to the account again... it looks like that may necessarily involve some disruption/outage to my DNS which is in the old account I can't get access to. We'll see.
edit wait a second, they totally send me a renewal notice to email every year. They know my current email! They are insisting on sending a 2-factor code to a different email I no longer have access to. Wtf is that?
Yes. GoDaddy is bad. That's why people have been discouraging its use here and shaming people for using it, for a decade? More?
I recently got a notification that someone logged into my GoDaddy account. I angrily log in, knowing that I don't have any resources.
I'm greeted with a login log that shows "Android app" logging in every day for the past year, from multiple different countries. And my account required email confirmation (which must have been being by-passed on the Android app?)
It's bad. Don't use GoDaddy. While you're at it, you should really actually make backups and use a password manager too.
I cannot login to the account without 2FA to an email address I no longer have access to (even though they can somehow send me annual renewal notices at my current email address), that's my problem.
Namecheap is another dumpster fire of a registrar. While GoDaddy seems to generally carry a low bar, Namecheap on the other hand completely turns a blind eye to their service becoming the number one platform for stolen credit cards buying thousands of domains for international phishing scams everyday.
They double down on this by putting their “legal” team in Eastern Europe and make it seem like actioning their TOS against scammers puts them in a position of violating free speech (or something equally as stupid).
I wouldn’t be surprised if the majority of Namecheap’s income comes from domains registered for phishing scams. It’s that rampant and they just do not care.
I'm not sure I want my registrar to be judging whether they think I'm criminal or not and terminating my service. I think that's the job for courts. But maybe I need to read up more on this issue, can you recommend articles as background reading?
So what you're suggesting is that registrars should be exempt from the standard that we hold literally everything else to?
This isn't a subjective topic. These are criminal syndicates stealing credit cards and using them to buy services from Namecheap for the explicit goal of creating deceitful websites to defraud people.
Namecheap has an Acceptable Use Policy section[0] in their TOS specifically for these situations yet uniquely refuses to enforce it. Enforcing it is an explicit requirement in the ICANN registry agreement[1] that Namecheap is required to follow to be an accredited registrar.
Allowing this to take place, even after it is reported, is potentially a criminal act in and of itself.
I have gotten registrars to change domain records for domains over the phone without having to prove who I am. Definitely vet your registrars and registers very carefully, they do not all operate by the same rules.
I'm afraid I don't have a list of good ones, only bad ones.
The easiest way to vet them is to call them and ask them what their policies are, then test them (for legal reasons, against your own test domains would be best...). See whether you can find documentation about their policies online. If you can't find them: potential red flag. If you can find them but it doesn't seem thorough/very secure: red flag. If they don't seem to deal with international customers: potential red flag. If they don't support TOTP or U2F, or you can't disable SMS validation: red flag. If their password policies suck: red flag (just create a free account and see what it lets you use). If they don't do both registry & registry lock for your TLD, or won't explain how the process works for that TLD: run away.
Often they may document their online process for doing things like registry lock. Call them up and say you are a potential customer and you want to know what you can do over the phone, then ask them what you need to provide in order to do each thing. They're not going to try to hide anything from you, so they may tell you if (for example) all they need to know is your full name, e-mail address, and what domain you want to unlock. They'll also tell you if they only send EPP codes over e-mail or their web interface, or if they have a way to record customer support requests (like a special verification code for phone support, select lists of people who can administrate the account, etc).
Of course, it's up to each customer service rep to actually follow the Registrar's rules. It just takes one lazy SOB to skip all the steps and just do whatever you ask to ruin everything. So you might also ask to talk to whomever manages the support reps and find out more about them, like how much training they receive and how much oversight is done over each support call. You'll probably have to settle for correspondence over a ticketing system.
Registries you'll probably have to e-mail for their rules, or ask a Registrar. Some registries can be unnecessarily cloak-and-dagger about their policies, but some registrars don't care and will tell you anyway. Personally, I would stay away from the Registries that require two weeks of paperwork just to change WHOIS information.
Here is my idea for a non-broken/secure domain registrar using public-key crypto.
a) When you register the domain, you provide a public key.
b) The registrar will only ever redirect the domain if they receive a message signed with the corresponding private key.
There is a holding period if you stop paying for the domain, before it is released to the public again. You pay for the holding period in advance, when you do the initial registration.
This can be built today with existing technology.
Can someone please make this? Any feedback? Does this exist already?
That's way too complicated for the average registrant. There are lots of practical options that could strengthen the process for the average registrant.
Half the battle is for registrars to quit accepting the equivalent of cold calls from registrants. How hard is it to make a call back to the registrant when they're asking for NS, MX, etc. changes?
If the registrant phone number hasn't changed since registration, it's pretty safe to call them back and trust them IMO. If the registrant phone number was changed 5 days ago and someone is calling in asking for changes, that's an easy red flag and could be coupled with a technical restriction that requires escalation for important domain changes.
Another option similar to yours but easier would be to set a pin during registration and to require it for making over the phone domain changes. I guarantee those will get lost / forgotten by the average registrant though.
You'd be shocked at the number of small businesses that don't know where there domain is registered, who registered it, when it expires, etc..
If a domain is making money use a registry lock. If it's a high value domain making tons of money, pay MarkMonitor or similar to manage it.
> That's way too complicated for the average registrant.
I don't care. It's a niche service. There are at least tens of thousands of security-paranoid developers who would be a target market for this product. This is child's play for anyone involved in the blockchain space.
I've been through this twice this year where a reasonably large non-tech business came to me saying requesting help, only to find the credentials for their domain left with some previous employee and the "password reset" emails went to some @hotmail.com address noone knew how to access. Businesses see that sort of thing as normal and expect you'll just call the registrar and have it sorted it out.
I absolutely cringe at how easy it's always been for me, but I likewise think anything like you've described would be just end up with an awful lot of businesses locked out of their domains.
These support jobs are grueling. The pay isn't too great and you are sometimes required to know many years of accumulated sysadmin knowledge for the price of entry-level salaries.
Also, foreign tech support, typically Eastern European. For all the expensive audits tech companies do on their appsec, all it takes is 1 disgruntled Ukrainian who says "fuck those Americans for playing a part in fucking up my country" (or more usually phishing or a bribe) and suddenly a few important domains are compromised.
I wonder if paying the premium to MarkMonitor prevents the risk of foreign and underpaid staff, but the domain industry is more like a commodity now and they hook you in with "cheap cheap cheap".
Also, the only thing crypto seems to be making the news for these days is when a company gets hacked. So much for that revolution.
> …every peer is validating and in charge of managing the root DNS naming zone…
I don't understand how anyone can read this (and many other statements on the site) and take it more seriously than any other ICO scheme.
For fairness' sake, I propose the entire "crypo" ecosystem move off of DNS to [name of blockchain-based solution deleted] first, and then we can see how it's going after a couple years.
Handshake raised $10mm which was donated (all $10mm) to non-profit organizations and open source projects, including GNOME [1], Debian [2], KDE [3], among others.
Far from an "ICO scheme," the project further allocated the majority of the coins to developers and existing domain holders.
Unlike most decentralized projects you may be thinking of, Handshake is a real project and people are buying domains [4]. Compare the activity on chain with _____, and Handshake speaks for itself.
> Unlike most decentralized projects you may be thinking of…
I'm a fan of decentralized technologies. I'm saying that this project makes ridiculous claims, and (having read the FAQ) even the "decentralized" claim is dubious.
> You can’t just say something like this without backing it up. Let’s hear it!
From the FAQ:
"In order to claim your USPTO, European Union, or equivalent government entity in a foreign country registered trademarked domain name during the Sunrise Period, you MUST fill out this form on the Handshake.org website. Only the verified or pending trademark holder or a registered agent thereof can claim a trademark pending or trademarked name…"
"Existing TLDs and over 100,000 Alexa websites are reserved on the Handshake blockchain."
It's not clear to me how this is "decentralized" or "permissionless". If that were true, I'd expect that dispute resolution (for example) would be impossible. The bits of the FAQ I quoted above suggest centralized gatekeepers. Am I misunderstanding?
Decentralized naming is going to be critical to an open internet. We've already seen fights over names by corporations and governments.
Decentralization does not imply cryptocurrency but you do need (1) some proof of work to reduce squatting the whole namespace, (2) atomic-ish transactions to ensure one owner of a name, and (3) lots of malicious participants.
Handshake needs a token to create scarcity. Otherwise, what would stop one from registering all the domains in the world. You can read more details about this in "# Decentralized Certificate Authorities and the Blockchain" [1].
It was designed specifically to prevent these kinds of attacks. You can design your own security procedure. "For instance, if a Custom Domain Protection client wants us to not change their DNS records unless 6 different individuals call us, in order, from a set of predefined phone numbers, each reading multiple unique pass codes, and telling us their favorite ice cream flavor, on a Tuesday that is also a full moon, we will enforce that. Literally."
As far as I can tell, they've never been pwned.