Hacker News new | past | comments | ask | show | jobs | submit login

PM at a large, retail domain registrar here.

Registry Lock isn't something most retail registrars will offer, because generally, the vast majority of registrants don't really need it. It's not something you can just put into your domain management panel and roll out to everyone because of all the hoops required once enabled.

That said, Brian Krebs does need it on his domain(s) for obvious reasons - his domain is a massive target for hacking - and so it's enabled on his domain with specific procedures around how updates happen when required which I won't get into.

Beyond Registry Lock, the best way to secure your domains is to have them in an account with a random username (prevents guessing to aid in social engineering vs. "firstlast" or "flast"), a strong password and 2FA. Perhaps consider a unique account email address that you only use for that registrar account since losing control of that could result in losing control of your entire domains account and all the domains in it (assuming you didn't use 2FA).

On the Registrar side, look for one with good protections to ward off social engineering against the account and domains. In our case, we have a system that requires the account holder's specific consent (obtained via account email) to have a support person view personal information or access the account.




This does not seem like a sound philosophical security posture -- that only domains who are "massive targets for hacking" should use Registry Lock.


Security and usability is always a compromise. Otherwise we'd all use one-time pads for everything on the internet.


The public will soon find out that we should.


It's one of the situations where registry lock is a useful tool with appropriate trade offs. It's far from the only one.


Why? It's about threat models.


I would say because it's a small cost for the domain owner in return for protecting against what's potentially a pretty big emotional (and possibly reputational, financial) downside.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: