
Introducing CloudFlare Registrar: Designed for Security, Not the Masses - jgrahamc
https://blog.cloudflare.com/introducing-cloudflare-registrar/
======
echelon
Back when I was a freshman in college, I built and maintained a video game
strategy wiki. It was popular at the time, and the modest ad revenue kept me
fed. I put a lot of work into it and invested back into the website.

I was fortunate enough to be able to go on an overseas trip to China during my
first college summer break. The phone and Internet service was spotty, but I
was too busy exploring to care. When I got back home, I discovered much to my
dismay that my domain name had been transferred away without my consent.

As it turns out, one of my old Internet "friends" had access to an
administrative account at my registrar without my knowledge. They transferred
a handful of my domains to their own private account and continued to run the
website as if it had been their own. They moved the database, code, and
everything. (I had allowed them access to the server, so it wasn't unexpected
that this was within their capability.)

Being a college kid, I wasn't able to think of lawyers or legal avenues to get
it back (not could I afford them), so I wrote my "friend" out of my life and
took it as a hard lesson learned about privacy and security. And trust.
Definitely learned a lot about trust.

FWIW, it's still online today and probably brings in a thousand dollars a
month in ad revenue.

~~~
wantreprenr007
Interesting. Just watched a Ben Horowitz interview containing the paraphrase
quote "it's all rainbows, smiles and sunshine until someone stabs you in the
back."

People tend (not always) have habit of changing when valuations increase,
another reason trust and relationships pre-venture are more valuable for when
things get interesting.

Consider it a cheap lesson overall about gradual ebb/flow of trust, and that
people's (mis)behavior either self-selects them in or out of the running for
future opportunities... their punishment is their lives.

~~~
newman314
Or as I read somewhere: "Money does not change people, it merely amplifies who
they really are"

~~~
wantreprenr007
It's perceived risk/reward opportunity for getting away with something
(ethics)... better to test a potential cofounder beforehand (know them well
before) than find out later with random founders that could be crooks. Plus,
having overlapping social ties with cofounders, investors, customers, etc.
tends to reduce trust and risk issues because their reputation means
something.

Another thing I say: a contract or any agreement is only as good as
relationship on which is written.

------
yoo1I
Dear CloudFlare,

now that you're a registrar, will you respond to abuse reports about scammers'
domains being resolved by your DNS servers by at least showing that you've
understood the problem instead of a generic "We R a ReverseProxy Company, u
no?".

I know that; _I 've said so in my abuse report_. That wasn't the problem.

Really frustratedly yours, yoo1I

~~~
rudolf0
They always forward those abuse reports onto the original hosting provider.
What more can they do? They're not really obligated to do anything other than
that.

~~~
dsl
When you are proxying web traffic to an obvious phishing site, you could...
you know... stop?

~~~
jgrahamc
And we do.

Tell us about phishing here:
[https://www.cloudflare.com/abuse/](https://www.cloudflare.com/abuse/)

~~~
yoo1I
Let me preface this thusly: I understand you are a reverse proxy. Do not try
and explain this to me again. I've heard it so many times by now, when it
really wasn't necessary for you to explain it to me again - or on the first
place. Really I understand.

Furthermore, as per your FAQ[0] regarding phishing, you do _NOT_ intend to
actually stop proxying, you intend to MITM the website and insert some sort of
warning.

But to come back to the original complaint: In addition to being a reverse
proxy, you also run nameservers. I do not care why and how you do that. Fact
is you do.

These your nameservers are authorative ( as in 'dig -t ns example.com') for
domains that are exclusively used for scam websites which you DO NOT HOST OR
PROXY. You just provide DNS.

Is there _any_ way you would consider stopping to do that ?

Please don't ask me to go through your support channels again. I've tried.
They didn't manage to understand the problem or didn't manage to make it clear
that they have.

[0] [https://support.cloudflare.com/hc/en-
us/articles/200167736-H...](https://support.cloudflare.com/hc/en-
us/articles/200167736-How-do-I-file-a-phishing-complaint-)

~~~
ChristianBundy
Please forgive me for playing devil's advocate, but I can't resist the urge to
jump in here -- why should they provide you with a free (!) consumer security
solution? It sounds like they were trying to give you a hint by telling you
that they're a reverse proxy, but I'll put it very clearly: they are a reverse
proxy for paying customers, not a consumer security solution for the general
public.

They offer a domain name management service, _not_ a DNS security service.
Complaining to CloudFlare that they're not offering you a free security
service would be like complaining to OpenDNS that they're not offering a
domain name management service.

You wouldn't repeatedly harass Dun & Bradstreet and complain that they don't
provide you with a free (!!!) consumer credit report, why do you feel so
entitled to do the same to CloudFlare? Unless you've entered a consumer
security contract with CloudFlare that I'm unaware of (which is totally
possible), I'm afraid that you might just be feeling entitled.

~~~
yoo1I
"Consumer Security Solution"? Your advocating is pretty devilish indeed

I think you are misunderstanding what's going on and it seems you are not
aware that dealing with network resource abuse is a normal thing in the
running of an internet service - at any level. There are many legitimate uses
of network resources and some which aren't: spamming, hosting illegal content
(for whatever value of illegal), running botnets and so on. Each organization
and jurisdiction sets their own rules about what is and isn't allowed on their
resources which their customers have to abide by. And usually they share a way
to report abuses to them. (See, the companies who hosted the spammers who sent
out the link to the domains in question have already responded by shutting the
spambots down.)

And indeed CloudFlare does have these policies in place, which you can clearly
read on the link shared by jgrahamc above.

This particular issue is concerning a situation which isn't _directly_
addressed by the rules already in place, and I am well within my rights to ask
them to remedy this.

And if I was aware that customers of Dun & Bradstreet were selling data they
received by Dun & Bradstreet on the black market to the Yakuza, be sure that I
would let them know about it repeatedly.

You keep emphasizing that I want something for free from them, au contraire, I
am providing them with a free service by letting them know they're system is
being used by criminals to commit crimes.

------
thenomad
Given the extensive debunking of the security of all existing registrars in
the post, I'd really love to know who CloudFlare were thinking of when they
said

"There are plenty of great mass-market registrars."

Shortly after they said (I'm paraphrasing here) "we've just explained why your
current registrar is insecure, but this shiny new secure service isn't for
you, pleb!"

They offer an "audit your registry" service, which is great, but they have
zero suggestions for good alternatives if you're _not_ front page news.

~~~
junto
If like to vote this up. I think that all of us (as individuals) would like a
'lite' version of this.

I want my domain to pass all those checks, and have 2FA protecting my account,
but I don't care about the multiple permission to transfer since I'm just one
person.

I also do care that there isn't some social engineering backdoor, where anyone
can call support and answer a few questions about me (that might be ready to
find) and reset my password. There are far too many services that are
susceptible to such an easy hack.

~~~
AdamN
Gandi and Namecheap have quite good security models for normal prices.

~~~
JakeTheAndroid
I can agree with this. Namecheap is fairly secure as far as a general,
affordable registrar is concerned. I had trouble accessing my account because
I didn't have very specific information that was difficult for me to track
down in my emails. They also supported DNSSEC and Algorithm 13 before it was
an option on CloudFlare, meaning I was able to take advantage of that day one.

------
jqueryin
I see this play as a funnel to their high end CDN and DDoS services.

Being in the industry, it only makes sense for them to target big business.
They're likely disinterested in low margin domain renewals. Their real bread
and butter is the high LTV customers with deep pockets who have upper
management requesting "security" and "encryption" because of all of the recent
"hacks" in the news.

Long term, they'll probably change their tune and start to target SMB if it
works out well. It's far easier to pick a niche segment and deal with far less
customer support as you're dealing with lower volumes of conversions.

~~~
dsl
It is the Akamai model. Get a customer in the door, keep selling them new
addon services every chance you get. Then when a competitor comes along they
aren't "feature competitive."

The best magic trick Matthew Prince has pulled thus far is convincing the
folks that work for him that they are doing something noble.

~~~
mtourne
Former employee here. Even though we've parted ways quite a while ago I still
see CloudFlare as having a net positive impact.

------
NetStrikeForce
Anyone understood why should I use CloudFlare instead of e.g. Namecheap? I
consider myself a security minded folk. Heck, I even suggested the idea of
what later became universal SSL to Matthew on Twitter, after HeartBleed
happened - funnily enough he called it "dumb money" \- luckily, dumb money is
still money ;-) and he apparently changed his mind -->
[https://twitter.com/mobiplayer/status/474617969780469760](https://twitter.com/mobiplayer/status/474617969780469760)
kudos for reconsidering.

~~~
ghshephard
If you have many hundreds of thousands/millions of dollars a day lost if your
DNS is redirected, you might want to consider Cloudflare as your registrar. I
wouldn't be shocked to hear that they charge 4 figures to register a domain
with them though. (I didn't see any pricing)

~~~
ryanlol
Why would you choose cloudflare over someone more established? i.e.
MarkMonitor?

~~~
ghshephard
In the article they noted that MarkMonitor (Who I've used myself), is more
focussed on managing online brands, and the registrar element is a sideline.
Also - MarkMonitor can be pretty pricey - I'm wondering if CloudFlare is price
competitive with them?

But yes, I agree - if I had to recommend to a fortune 500 _today_ where to go
to manage your domain safely, it would be MarkMonitor. I guess we'll see how
CloudFlare stacks up over the next few years.

~~~
scurvy
This seems aimed more at Safenames. I'll trust Safenames more than Cloudflare
personally.

------
kefka
And CloudFlare is destroying user's abilities to use TOR in any meaningful
way.

What we get when we hit a CloudFlare backed page: CAPTCHA, after CAPTCHA,
after CAPTCHA. And not only that, but it's Google's reCaptcha, which many of
them are nigh unsolvable.

Worse yet, if we leave any sort of comments, we get served another CAPTCHA,
which destroys the comment we tried to make. Their failing systems end up
silencing us.

We want you to lessen up on serving CAPTCHAs on everything: respond when you
see real abuse from that TCP session, and not 'just because we're TOR users'.

~~~
softawre
When I use VPN and hit CloudFlare I get the easy "I'm a human" captcha that
tracks mouse movement and timing. Are you seeing different?

~~~
kefka
I wish it were that easy.

When on TOR, the "() I am A Human" doesn't show up. Instead, you get the
reCAPTCHA 2 jibberish words. Unfortunately, many of what you're given aren't
readable at all.

Now, you get that CAPTCHA __every __page you load that uses Cloudflare. And it
's just terrible. They're breaking the 'Net for TOR users.

~~~
rudolf0
1\. You may not have Javascript enabled.

2\. Doesn't the captcha unlock you for the whole browsing session?

3\. Cloudflare is working as intended. They could just block Tor outright. I
think this is probably the best compromise.

~~~
detaro
1\. Disabling javascript while using Tor is probably a good idea, because it
removes a lot of potential risks from the equation. risk vs convenience I
guess.

2\. In theory yes, in practice that doesn't seem to be the case, with people
reporting captcha-loops etc. And everything that allows CF to reliably
reidentify the user is at the same time a potential vulnerability of the user.

3\. Or they could implement less drastic measures and still protect their
customers (e.g. what risk does a GET request against a cached site really pose
that requires a captcha?).

It's a sliding scale and not obvious what the "best" solution is. There are
good arguments in both directions, and Cloudflare is important enough that
they IMHO should think further than "what's easiest for us". They seem at
least to be somewhat receptive towards arguments about this.

------
tav
Congrats to everyone at CloudFlare who made this happen!

Is there a list of TLDs which are supported somewhere? When I last looked
(years ago), only Verisign provided registry locking and the other registries
weren't showing any signs of coming out with similar products.

------
dothis
I am a publisher located in Europe and my life's work is all in one .com
domain. I often wonder how secure the ownership of a domain is and if there
are any steps necessary to secure it. My registrar requires a signed document
to transfer domains. By post or scanned. But how secure is that? How would
they know if I sent the document or somebody else?

And what if somebody hacked the registrar? Are there global mechanisms to undo
wrongful domain transfers?

~~~
noinsight
> located in Europe and my life's work is all in one .com domain.

As a non-US citizen you should definitely move to another TLD entirely. US
asserts jurisdiction over .com/.net/.org and has been known to seize such
domains at will even if they have no ties to the US. You would have little
recourse without great difficulty.

As a non-US person myself I will therefore personally never hold such a
domain.

National TLD's would be a good choice but there's also .eu which I reckon
would also be a safe choice. They also do not publish WHOIS information for
privately held domains.

People rarely consider this when purchasing domains (which jurisdiction they
fall under) but it's an important issue in my opinion.

(Source: [http://yro.slashdot.org/story/12/03/06/1720230/us-asserts-
su...](http://yro.slashdot.org/story/12/03/06/1720230/us-asserts-super-
jurisdiction-over-dot-com-dot-net-and-dot-org-domains))

~~~
PlzSnow
Your suggestion that non-US people shouldn't have .com domains is a fringe-
extremist position, and is likely to be ignored by most people.

My business is on a .com domain and that will never change. I'm a businessman,
not an extremist idealist.

------
nubela
Interesting move Cloudflare!

I work with Kloudsec [1], and we're a developer-centric CDN platform, and
we're moving on an entirely opposite direction from Cloudflare. If Cloudflare
is Apple, think of Kloudsec as Linux. Rather than bundling everything as a
"magic" product, as you can do with Cloudflare today in this flow

1\. Buy domain from CF

2\. Automatically, CF is your DNS

3\. Automatically, CF is your CDN in a single toggle

4\. Automatically, CF is your WAF

We think that

* there is danger to internet neutrality when a monopoly arise out of a single data-trafficker

* that we cannot do everything well

\--

Kloudsec says come use our CDN for free. And if you like, you can choose to
enable optional plugins. Be it the automatic SSL provisioning (via LE), or our
WAF.

But hey, if you don't like it, come build apps on top of our CDN too. Apps
like a better PageSpeed, a better WAF, etc. These apps can be a Nginx module,
things that you can export to your own build if you scale, or leave the
infrastructure [2] to us.

\--

What do you guys think?

[1]: [https://kloudsec.com](https://kloudsec.com)

[2]: [https://blog.kloudsec.com/building-an-anycast-
network/](https://blog.kloudsec.com/building-an-anycast-network/)

~~~
kintamanimatt
On your pricing plans page [0], there's a misleading statement that
Cloudflare's free tier doesn't provide DDoS protection, but Cloudflare's
pricing and feature page [1] states that the free tier does come with basic
DDoS protection. Whether or not there's a difference in the type of DDoS
protection provided by Kloudsec, this feels deceptive.

[0] [https://kloudsec.com/#/pricing](https://kloudsec.com/#/pricing)

[1] [https://www.cloudflare.com/plans/](https://www.cloudflare.com/plans/)

~~~
HappyTypist
For what it matters, CloudFlare protected my site against a 200mbps layer 4
attack on the fre plan. That's a small attack but it's great for a free basic
offering.

~~~
eastdakota
And yesterday we (CloudFlare) protected a free customer against a 400Gbps
(that's not a typo) Layer 3/4 attack. DDoS protection should be free at any
volume and our scale is allowing us to make that a reality.

------
aric
Good move. I've been looking for a security-focused registrar. Will CloudFlare
Registrar open its doors outside of an Enterprise plan?

~~~
chillydawg
I'd be surprised if they did. No way it can be economical to do this at scale
for normal domain reg costs.

~~~
aric
I'd be surprised if they didn't. There's a markup at which it'd be very
economical to be a broader registrar. Future upselling is worth pulling users
away from other registrars. Some of them will compete against CloudFlare
sooner or later. Google's headed that way.

------
ohashi
For the seriously security conscious, this stuff has been around for a while.
The registrar I use has had an executive lock for many many years.
[http://fabulous.com/informationcenter/index.htm?formdata%5Bq...](http://fabulous.com/informationcenter/index.htm?formdata%5Bqid%5D=115)

------
kintamanimatt
Interesting that the domain security tool fails my domains for not having
registrar lock enabled. The most interesting part is that Gandi sets
clientTransferProhibited but not clientUpdateProhibited or
clientDeleteProhibited. I wonder if there's a way to get these enabled; there
doesn't seem to be an option.

~~~
james_pm
Those statuses (what Cloudflare calls registrar locks) are more aimed at
giving registrars a way to prevent the registrant (or anyone else) from making
changes to a domain. It's commonly used during disputes over domain ownership,
for example.

Transfer lock, 2FA on your account, protection of the AUTH code (should be
encrypted at least, or not stored at all at best) and a registrar with a
support team that is resistant to social engineering hacks is sufficient for
most domain owners.

If you require complete security, registry lock is the way to go as it
prevents changes to the domain from the top down. It would protect you from
something like a bad actor with access to your domain through the registrar's
system.

That said, it's a real pain when you actually want to make a change since
there's very specific protocols to follow. And you have to pay extra for it
since the registry charges to apply the lock.

------
tyingq
Namesilo supports 2FA with Authy, and seems to have a reasonable security
approach.

[https://www.namesilo.com/Support/2~Factor-
Authentication](https://www.namesilo.com/Support/2~Factor-Authentication)

[https://www.namesilo.com/Support/Domain-
Defender](https://www.namesilo.com/Support/Domain-Defender)

It's also very reasonably priced in general. The 2FA and Domain Defender are
free.

Edit: No, it's not the same level of protection as what CF is describing. But,
it's more than what you'll typically find at a registrar, and cheap.

~~~
tobltobs
Isn't 2FA standard nowadays. And it still does not disable social engineering
as attack option.

~~~
tyingq
>>Isn't 2FA standard nowadays.

Some don't appear to have it at all (1&1), some offer an option to SMS a code
(godaddy/namecheap), a few offer integration with something like Authy/Google
Auth.

>>And it still does not disable social engineering as attack option.

It's better than what I see from other registrars. It is not perfect. You, of
course, are in control of the answers to the challenge questions, they don't
have to be the truth.

------
zx2c4
I switched to Google Domains a while ago for personal use. It's a bummer that
yet another important thing is centralized in my Google account, but seeing as
Google already handles critical things (email --> account resets), I don't
introduce an additional vulnerability by hosting my domains with them.
Hopefully, by now, their two factor situation is sufficient, and their manual
processes of sending scans of passports undergoes sufficient scrutiny. Anybody
have any information on this? How strong is Google account security these
days?

------
pbreit
I'm a little surprised they would emphasize "not for the masses" since
Cloudflare's mission has historically been for the masses.

I'd love to see a new, modern registrar without all the inanities. I'm always
surprised at how many companies still use GoDaddy. This is super-old but I bet
still directionally accurate: [http://joel.franusic.com/domain-
profiler/ycombinator.html](http://joel.franusic.com/domain-
profiler/ycombinator.html)

~~~
jgrahamc
We're still for the masses, but this specific service is not. If you look at
our plans you'll see that there are different levels of service depending on
how much you pay us, this particular service is for the very high end.

------
notlisted
Hmmm, I have my 30 most important domains on register.com, hundreds elsewhere.
Register.Com is not exactly cheap, but I felt more secure. I'm a little miffed
with the results of this security test tool for those register.com domains
(failing 3 out of 5 tests). Are these results truly valid (ie something to
worry about) and if so, am I to blame for not enabling certain options at
register.com?

~~~
dsl
Register.com has been breached at least once. They are also now part of the
Web.com/NetworkSolutions congolmerate. [http://www.upi.com/Top_News/World-
News/2015/03/18/FBI-lookin...](http://www.upi.com/Top_News/World-
News/2015/03/18/FBI-looking-into-Chinese-military-involvement-in-cyber-hack-
of-US-company/2531426688682/)

MarkMonitor and CSC domains appear to be the safest in my experience, but they
also charge thousands of dollars and require you to call them to make changes.
But the margins on domain registrations are so thin, you can't really expect a
good price and security.

------
brightball
Just as another security precaution on top of it, do they support private
registrations so that people can avoid exposing individual credentials in the
WHOIS records? There are a lot of company's who currently have attorney's
offices handle domain registration as well as corporate registrations just for
that specific purpose.

------
tech-no-logical
ah yes, the CDN that propmpts about 200 captchas per day on my end because I
use a vpn... I was not aware this company was used so extensively until they
started doing those annoying redirects.

------
nly
Does "Virtual DNS" do DNSSEC validation?

I wouldn't want to give up control of my registry DS records or DNS master.

~~~
aeden
Not yet.

------
danieltillett
Any idea on pricing?

~~~
kmfrk
From what I gather, it requires an Enterprise plan, which has no fixed price.
Could just be a free part of the plan considering the price tag of an
Enterprise plan.

~~~
saramago
CloudFlare claims there enterprise plans start at $5,000 USD a month, but this
is not really true. Most customers who have a business plan and pay $200 a
month negotiate deals for a lot less. Especially now that Akamai is dropping
their pants to the mid market. You can essentially get on Akamai or Incapsula
for less than what CloudFlare charges for their plans. This is what I did. I
ended up with much better WAF services and less deviation on performance.

~~~
rlx02
Who did you end up going with?

