Hacker News new | past | comments | ask | show | jobs | submit login
GoDaddy employees used in attacks on multiple cryptocurrency services (krebsonsecurity.com)
183 points by todsacerdoti 4 days ago | hide | past | favorite | 67 comments

I'm pretty intrigued by the cryptocurrency-based DNS alternatives that get kicked around in discussions like this. But if you need a way to mitigate this threat for your business today, I'd recommend Cloudflare's Enterprise Registrar.

It was designed specifically to prevent these kinds of attacks. You can design your own security procedure. "For instance, if a Custom Domain Protection client wants us to not change their DNS records unless 6 different individuals call us, in order, from a set of predefined phone numbers, each reading multiple unique pass codes, and telling us their favorite ice cream flavor, on a Tuesday that is also a full moon, we will enforce that. Literally."

As far as I can tell, they've never been pwned.

But this is only a procedure for the customer. We'd hope that their employees have internal rules that are just as strict for interacting with internal IT, but can't be sure.

The rules for the customer don't matter much is it get hold of a company account which can make the right change.

Re. Cryptocurrency, I'd be really nervous implementing that in production. The current registers may not be perfect, but there's an escape hatch where things go wrong, you contact the right people and changes get reverted. With coin based DNS, the right hack may mean you lose access to your domain forever and there's no rollback possible.

Yup. If you're running something this critically important on your domain (i.e. pretty much any business doing 7 figure revenue or more), it'd really behoove you to switch to a registrar that supports registry lock on your domain. Then you're protected by the procedures at two unrelated business entities.

Blows my mind that people running these trading platforms would trust GoDaddy with the security of their domain name.

As an old dinosaur who ended up becoming involved in the blockchain space, this doesn't surprise me at all. I suspect this is a generalizable pattern: a new industry is created and very little of the experience learned in older industries is transferred.

Marketing is surprisingly effective. Because of it, almost no software or service that is popular is good.

That explains a lot (of annoying things on the internet)

I have the misfortune of being forced to use GoDaddy for a certificate. For reasons I won't go into Let's Encrypt isn't an option. The certificates that Cloudflare provisions (even when not using their universal SSL feature) are issued by a CA which isn't supported by all versions of Apple Podcasts. GoDaddy was the only viable option.

GoDaddy has repeatedly fucked this up. Once, they renewed the cert, but didn't publish it to the logs of issued certs. So Chrome started rejecting the new cert. Hard downtime. It took almost 24 hours for them to issue the guidance to "just renew it again and hopefully it will work this time...we'll refund the first one". Crazy.

If you have evidence they didn't log it to CT, that's a miss-issuance and reporting it to the root programs (via the Mozilla list) will trigger an investigation that will be taken very seriously.

> Once, they renewed the cert, but didn't publish it to the logs of issued certs.

For what it's worth, you can log certificates. It's not common for issuers to even offer certificates that haven't already been logged, but some applications want that, and it's perfectly possible to do it, Google do it for some systems. The issuer has no special right to log certificates, broadly anybody can do it (big issuers have some agreement for volume performance, but you're probably only doing one or two by hand so who cares).

Major logs just have a public endpoint, you give them a certificate they give you back an SCT (the timestamped "proof" it was logged). The modern logs tend to have two constraints: The certificate must be from a CA they trust (in almost all cases that's going to be a similar list to the list Chrome uses) and it must expire in the right year because they've all sharded their backend systems by expiry date, this way all the 2019 expired certificates can get flushed away in 2020 rather than needing valuable always on-line storage forever.

Your HTTP server needs to actually give the SCT to the web browser (whereas if it was baked into the certificate that's not your problem) but you can configure popular servers to do that.

6 years later, nothing's changed.


Stay far, far away from godaddy.

I think there are good reasons to avoid GoDaddy, but do HN-ers feel like there are registrars whose employees would never fall for social engineering techniques, or whose systems and/or processes make such a scenario far less likely?

If it's really important, you need a registrar and a registry with a Registry Lock program. With this in place, when you want to make a change, you notify the registrar, who notifies the registry, who carries out the authentication procedure and, if successful, allows the domain to be changed, then relocks.

Note that the registry may only be available to do unlock procedures for limited hours, usually business hours in their locale; that might be inconvenient if it's not your locale.

My understanding is Cloudflare can do registry locks, but does not offer registrar services standalone. Corporate oriented registrars like CSC and MarkMonitor offer it. I don't have experience eith CSC, but MarkMonitor had a pretty high minimum spend (I think 10k/year) to get on their platform circa 2013; that may have changed, also they're now owner by a VC firm, just FYI.

NetworkSolutions (boo hiss), rolled out a registry lock feature after a high profile hijacking which was why my employer had me work with MarkMonitor.

Companies with better established security infrastructure like AWS and Google make for better registrars in my opinion. They're not perfect, for example with Google you might lose your domains due to a youtube infraction. Actually, now that I think about it strike Google from the list, just AWS really.

I would love to use AWS's registrar exclusively for anything I host there, but unfortunately they have a pretty limited selection of TLDs. it's more important to me that all my domains are in one place so I can review them at once. I really wish they would support more.

If "viewing all at once" in a single UI is more important then security, reliability, etc., you don't have many constraints to begin with.

a domain registrar has three functions:

1. configure my nameservers and whois info.

2. pay my bills.

3. prevent other people from taking over my domain.

I can see how AWS would give you more confidence in #3.

considering AWS is just reselling Gandi, I would love to hear how AWS (or any registrar) can be more reliable than another :)

AWS because they don't have customer service.

Not so fast. Six or so years ago someone reset the password on my account from the retail site's live chat because they knew info found in a whois.

Thankfully I only used that account for some retail purchases.

What? Yes they do. There’s even premium support options for a few k a month you can have dedicated and responsive support

And if you can’t afford a few k a month for a dedicated support person for your infra, then you aren’t worth supporting - I.e. go to godaddy

The market kind of helps optimise this.

it should be noted that GoDaddy also own quite a few other registrars e.g. Host Europe Group who own 123-reg, Heart Internet, Host Europe, Webfusion, RedCoruna, Mesh Digital and Domainbox


What registrar would you recommend instead?


It's been around since 1998 and is a founder-owned company, and the founder wrote the book on managing mission-critical domains:


And they do offer registry lock (on a limited number of TLD's.)

Nearlyfreespeech is more of a host than a registrar, but I feel they generally have really good practices and procedures areound security. I certainly trust them more than Godaddy. That said, they don't support a lot of .wacky suffixes other registrars might.

Namecheap and Porkbun are pretty good.

Namecheap is bigger, so it's possible to get support people that aren't amazing. Porkbun is pretty small and I feel like there's less room for underperforming support staff when you have less than 10 of them.

Porkbun has an extra "domain password protection" option where you can require and extra password retrieving an auth code for domain transfer. I'm not sure how much use that is though. Once someone is into the account to the point they can change NS, the real world impact is similar to having the domain transferred away (and recovered).

namecheap has actually been a really good registrar, contrary to what the name suggests.

Instead of compromizing cryptocurrency services, they support paying for their services in cryptocurrency. That's arguably a better strategy for engaging with the target audience of crypto enthusiasts ;)

I'm not very confident about Namecheap, given how long it took them to add 2FA. It seems to me that if they cared about security they wouldn't have waited literally years to do it.

Cloudlfare does domains at cost, and I use them for every TLD they support.

I've had great experience with porkbun, and no major complaints with namecheap.

gandi.net has always been outstanding.

Second for gandi - I had very good experience with them, although prices are a bit higher than namecheap or porkbun.


I really gotta get a personal domain registration off of GoDaddy, but everytime I consider figuring out how to do that, I get exhausted. As is the intent.

It isn't exactly straight forward for those without experience. But if you follow the steps closely, for example [0], it takes 15 minutes tops.

[0] https://developers.cloudflare.com/registrar/domain-transfers...

it's super easy, and if you transfer your domain like Cloudflare you probably end up saving a few bucks too

It's not as hard as it sounds.

I did find some instructions just now from NameCheap,where I have some other more recent registrations. https://www.namecheap.com/support/knowledgebase/article.aspx...

With those instructions, it doesn't look too hard. Without godaddy-specific instructions, I would have had a lot of trouble figuring it out. Unlock registration; get authcode; turn off whois privacy protection; accept transfer. Each done in a different screen.

I went to do that, to discover... this old domain, the oldest I have registered, has both an email and a phone number that I no longer have access to, and which GoDaddy wants to do 2-factor using one of them even though I do have my password. (The last 4 of the phone number I recognize as a landline I last had around 17 years ago, before I had a cell phone. I've had this domain for a while, from before I knew better than to use godaddy). They let me pay them renewal every year without me having to log into my account or notice I can't anymore, which I guess is better than stealing my domain becuase of it, but is also why I hadn't noticed for years I could not log into the account.

So I guess first step is figuring out how to get GoDaddy to give me access to the account again... it looks like that may necessarily involve some disruption/outage to my DNS which is in the old account I can't get access to. We'll see.

edit wait a second, they totally send me a renewal notice to email every year. They know my current email! They are insisting on sending a 2-factor code to a different email I no longer have access to. Wtf is that?

Yes. GoDaddy is bad. That's why people have been discouraging its use here and shaming people for using it, for a decade? More?

I recently got a notification that someone logged into my GoDaddy account. I angrily log in, knowing that I don't have any resources.

I'm greeted with a login log that shows "Android app" logging in every day for the past year, from multiple different countries. And my account required email confirmation (which must have been being by-passed on the Android app?)

It's bad. Don't use GoDaddy. While you're at it, you should really actually make backups and use a password manager too.

If you can still login to the account, can you not update the contact info (or does that update also require 2FA)?

I cannot login to the account without 2FA to an email address I no longer have access to (even though they can somehow send me annual renewal notices at my current email address), that's my problem.

Namecheap is another dumpster fire of a registrar. While GoDaddy seems to generally carry a low bar, Namecheap on the other hand completely turns a blind eye to their service becoming the number one platform for stolen credit cards buying thousands of domains for international phishing scams everyday.

They double down on this by putting their “legal” team in Eastern Europe and make it seem like actioning their TOS against scammers puts them in a position of violating free speech (or something equally as stupid).

I wouldn’t be surprised if the majority of Namecheap’s income comes from domains registered for phishing scams. It’s that rampant and they just do not care.

What registrar do you recommend as ethical, competent, and treating their customers well, with good UI?

I don't even care about being ethical -- just don't literally facilitate and turn a blind eye to crime.

I moved to, among others, Porkbun.

I'm not sure I want my registrar to be judging whether they think I'm criminal or not and terminating my service. I think that's the job for courts. But maybe I need to read up more on this issue, can you recommend articles as background reading?

So what you're suggesting is that registrars should be exempt from the standard that we hold literally everything else to?

This isn't a subjective topic. These are criminal syndicates stealing credit cards and using them to buy services from Namecheap for the explicit goal of creating deceitful websites to defraud people.

Namecheap has an Acceptable Use Policy section[0] in their TOS specifically for these situations yet uniquely refuses to enforce it. Enforcing it is an explicit requirement in the ICANN registry agreement[1] that Namecheap is required to follow to be an accredited registrar.

Allowing this to take place, even after it is reported, is potentially a criminal act in and of itself.

[0] https://www.namecheap.com/legal/universal/universal-tos/

[1] https://newgtlds.icann.org/sites/default/files/agreements/ag...

I have gotten registrars to change domain records for domains over the phone without having to prove who I am. Definitely vet your registrars and registers very carefully, they do not all operate by the same rules.

Can you recommend one that isn't easily persuaded to change domain records without securely verifying the customer's id?

It's almost impossible to vet registrars or registries, as this information isn't easily available.

I'm afraid I don't have a list of good ones, only bad ones.

The easiest way to vet them is to call them and ask them what their policies are, then test them (for legal reasons, against your own test domains would be best...). See whether you can find documentation about their policies online. If you can't find them: potential red flag. If you can find them but it doesn't seem thorough/very secure: red flag. If they don't seem to deal with international customers: potential red flag. If they don't support TOTP or U2F, or you can't disable SMS validation: red flag. If their password policies suck: red flag (just create a free account and see what it lets you use). If they don't do both registry & registry lock for your TLD, or won't explain how the process works for that TLD: run away.

Often they may document their online process for doing things like registry lock. Call them up and say you are a potential customer and you want to know what you can do over the phone, then ask them what you need to provide in order to do each thing. They're not going to try to hide anything from you, so they may tell you if (for example) all they need to know is your full name, e-mail address, and what domain you want to unlock. They'll also tell you if they only send EPP codes over e-mail or their web interface, or if they have a way to record customer support requests (like a special verification code for phone support, select lists of people who can administrate the account, etc).

Of course, it's up to each customer service rep to actually follow the Registrar's rules. It just takes one lazy SOB to skip all the steps and just do whatever you ask to ruin everything. So you might also ask to talk to whomever manages the support reps and find out more about them, like how much training they receive and how much oversight is done over each support call. You'll probably have to settle for correspondence over a ticketing system.

Registries you'll probably have to e-mail for their rules, or ask a Registrar. Some registries can be unnecessarily cloak-and-dagger about their policies, but some registrars don't care and will tell you anyway. Personally, I would stay away from the Registries that require two weeks of paperwork just to change WHOIS information.

Here is my idea for a non-broken/secure domain registrar using public-key crypto.

a) When you register the domain, you provide a public key.

b) The registrar will only ever redirect the domain if they receive a message signed with the corresponding private key.

There is a holding period if you stop paying for the domain, before it is released to the public again. You pay for the holding period in advance, when you do the initial registration.

This can be built today with existing technology.

Can someone please make this? Any feedback? Does this exist already?

That's way too complicated for the average registrant. There are lots of practical options that could strengthen the process for the average registrant.

Half the battle is for registrars to quit accepting the equivalent of cold calls from registrants. How hard is it to make a call back to the registrant when they're asking for NS, MX, etc. changes?

If the registrant phone number hasn't changed since registration, it's pretty safe to call them back and trust them IMO. If the registrant phone number was changed 5 days ago and someone is calling in asking for changes, that's an easy red flag and could be coupled with a technical restriction that requires escalation for important domain changes.

Another option similar to yours but easier would be to set a pin during registration and to require it for making over the phone domain changes. I guarantee those will get lost / forgotten by the average registrant though.

You'd be shocked at the number of small businesses that don't know where there domain is registered, who registered it, when it expires, etc..

If a domain is making money use a registry lock. If it's a high value domain making tons of money, pay MarkMonitor or similar to manage it.

> That's way too complicated for the average registrant.

I don't care. It's a niche service. There are at least tens of thousands of security-paranoid developers who would be a target market for this product. This is child's play for anyone involved in the blockchain space.

Low cost MarkMonitor

But still there're no guarantees that the registrar's own it infra is secure, or insiders with the wrong root access somewhere?

Yeah, still no guarantee of that. A blockchain solution is ideal, but requires browsers to do DNS lookup using the blockchain.

Namecoin was/is working on this. Another project is mentioned somewhere else in this thread (but it might be a scam, not sure).

I've been through this twice this year where a reasonably large non-tech business came to me saying requesting help, only to find the credentials for their domain left with some previous employee and the "password reset" emails went to some @hotmail.com address noone knew how to access. Businesses see that sort of thing as normal and expect you'll just call the registrar and have it sorted it out.

I absolutely cringe at how easy it's always been for me, but I likewise think anything like you've described would be just end up with an awful lot of businesses locked out of their domains.

It's a service for hackers, not for average businesses.

These support jobs are grueling. The pay isn't too great and you are sometimes required to know many years of accumulated sysadmin knowledge for the price of entry-level salaries.

Also, foreign tech support, typically Eastern European. For all the expensive audits tech companies do on their appsec, all it takes is 1 disgruntled Ukrainian who says "fuck those Americans for playing a part in fucking up my country" (or more usually phishing or a bribe) and suddenly a few important domains are compromised.

I wonder if paying the premium to MarkMonitor prevents the risk of foreign and underpaid staff, but the domain industry is more like a commodity now and they hook you in with "cheap cheap cheap".

Also, the only thing crypto seems to be making the news for these days is when a company gets hacked. So much for that revolution.

Seems like missing controls. HSMs, split knowledge and dual control is the name of the game.


> …every peer is validating and in charge of managing the root DNS naming zone…

I don't understand how anyone can read this (and many other statements on the site) and take it more seriously than any other ICO scheme.

For fairness' sake, I propose the entire "crypo" ecosystem move off of DNS to [name of blockchain-based solution deleted] first, and then we can see how it's going after a couple years.

Handshake raised $10mm which was donated (all $10mm) to non-profit organizations and open source projects, including GNOME [1], Debian [2], KDE [3], among others.

Far from an "ICO scheme," the project further allocated the majority of the coins to developers and existing domain holders.

Unlike most decentralized projects you may be thinking of, Handshake is a real project and people are buying domains [4]. Compare the activity on chain with _____, and Handshake speaks for itself.

[1] https://www.gnome.org/news/2018/08/gnome-foundation-receives...

[2] https://dot.kde.org/2020/01/21/kde-receives-generous-donatio...

[3] https://www.debian.org/News/2019/20190329

[4] https://dns.live/

> Unlike most decentralized projects you may be thinking of…

I'm a fan of decentralized technologies. I'm saying that this project makes ridiculous claims, and (having read the FAQ) even the "decentralized" claim is dubious.

> …people are buying domains.

Of course. Speculation is the ICO business model.

> and (having read the FAQ) even the "decentralized" claim is dubious.

You can’t just say something like this without backing it up. Let’s hear it!

> Of course.

Handshake improves security while also giving the added benefit of real ownership of one’s namespace.

People are buying names because they want the names, speculation or not.

> You can’t just say something like this without backing it up. Let’s hear it!

From the FAQ:

"In order to claim your USPTO, European Union, or equivalent government entity in a foreign country registered trademarked domain name during the Sunrise Period, you MUST fill out this form on the Handshake.org website. Only the verified or pending trademark holder or a registered agent thereof can claim a trademark pending or trademarked name…"

"Existing TLDs and over 100,000 Alexa websites are reserved on the Handshake blockchain."

It's not clear to me how this is "decentralized" or "permissionless". If that were true, I'd expect that dispute resolution (for example) would be impossible. The bits of the FAQ I quoted above suggest centralized gatekeepers. Am I misunderstanding?

Several other interesting challenges were brought up here: https://news.ycombinator.com/item?id=20995969

> Handshake improves security…

Because blockchain? https://cloudsecurityalliance.org/blog/2020/10/26/blockchain...

(This is a cryptocurrency pitch, in case the cry for decentralization didn’t make that clear.)

Decentralized naming is going to be critical to an open internet. We've already seen fights over names by corporations and governments.

Decentralization does not imply cryptocurrency but you do need (1) some proof of work to reduce squatting the whole namespace, (2) atomic-ish transactions to ensure one owner of a name, and (3) lots of malicious participants.

Does Handshake have a token? Not all blockchains or other decentralized tech circle back to currency.

Handshake needs a token to create scarcity. Otherwise, what would stop one from registering all the domains in the world. You can read more details about this in "# Decentralized Certificate Authorities and the Blockchain" [1].

[1] https://handshake.org/files/handshake.txt

This project looks interesting. Thank you for taking the (honestly unwarranted) downvote hit to answer questions about it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact