Building

Protecting Your Valuable Asset – Your Domain Name

In September we looked at what you as a domain name registrant can do to protect the security of your domain name. This month we’re going to look at the services that registrars and registries provide to help you protect the security of your domain name. Mostly they require the registrant to subscribe or opt in.

2017-11-20

Registry Locks

Many top level domains (TLDs) now offer what is known as a “Registry Lock” which is available through your domain name registrar. By enabling a Registry Lock, which is known under different names for different extensions, or TLDs, the WHOIS information cannot be modified, nor a domain name transferred, until the registrant’s registrar, such as Key-Systems, removes the “lock”. When there is a request to change registrant information or transfer a domain, it can only be completed when someone from the registrar requesting the change or transfer verifies the transfer is legitimate. For added security this is usually through a telephone call from a registry, the company that manages the domain extension.

A Registry Lock will also prevent changes occurring following a cyberattack on a registrar where WHOIS information is stolen. From the registry’s perspective, without a Registry Lock enabled, they have no way of knowing if a request to modify your WHOIS information is legitimate or not. When a Registry Lock is implemented, the registrar has to confirm the request is legitimate.

Some companies have learnt the hard way why they should have had a Registry Lock including Google and Yahoo. Both companies were attacked with their WHOIS information changed, resulting in their domain names being redirected to fraudulent websites. Imagine your businesses domain name being redirected to a fraudulent website. Your customers’ financial and personal information, along with their money, may disappear to criminals.

DNSSEC

DNSSEC, or Domain Name System Security Extensions, is another very important tool that was developed to address critical security shortcomings in the domain name system (DNS), which, when implemented, makes the internet safer for all users.

DNSSEC works to protect from malicious actions such as man-in-the-middle attacks, cache poisoning, spoofing attacks and pharming, the latter being where internet users are directed to a spoofed, malicious website rather than the one they intended to visit.

When DNSSEC is implemented they can be sure, for example that when they are visiting their bank’s legitimate website and not one that criminals have set up. It means the chances of a company’s domain record being successfully modified by an unauthorised party is significantly reduced.

DNSSEC is made available by many of the registries behind TLDs, including most of the popular ones as well as the majority of new gTLDs, providing the option for each registrant to digitally “sign” their domain name. Unfortunately awareness, and as a result take-up, is low.

With DNSSEC, whenever any record is changed, the change is recorded. The digital signatures, and keys used to create them, are distributed just like any other records in the DNS making DNSSEC backward compatible.

Two-Factor Authentication

Two-factor authentication, also called two-step verification, is a security method that means the online user has to provide two methods of verification when logging in. Many online services currently require, or make available, the option.

Online services typically require at least one form of authentication to verify an identity – a typed password. But passwords have proven time and again to be vulnerable to attacks. As ICANN have noted, passwords “can be guessed, stolen, intercepted or even traded away for candy bars. Entire databases of passwords have been breached, and such breaches are occurring altogether too frequently.”

So additional factors of authentication have been introduced, with two-factor authentication becoming very popular. After logging in with one’s password, commonly a text or email is sent to the registered mobile phone number of email address the user has registered with. Another option sometimes used is a special hardware device called a security token.

The combination of password and a second method of authentication is more difficult for an attacker to obtain. This makes accounts that use two-factor authentication more resilient to attacks.

SSL Certificates

SSL Certificates, or Secure Socket Layer Certificates, are a global standard that enables encrypted communications between web browsers and web servers. They are used by millions of online businesses to decrease the risk that their customer’s personal and financial information are stolen or interfered with.

Having an SSL Certificate enabled is another means for your customers, clients and partners being certain that they are visiting a legitimate website and the data they are sharing is encrypted. There are different types of SSL Certificates available depending on the number of domain names, sub-domains and the level of validation needed.

Share this content on social media channels!