At Blendle we recently thoroughly reviewed the security of our domain names. In this blog post we will describe what we have learned, and what measures we have taken since to protect the domain names that are critical to the operation of our business.

About registries and registrars

First, a few words on the different entities involved in the domain name ecosystem. In order to reserve a domain name, a registrant must register it with a registrar or one of their resellers. Some of the largest and most well-known registrars include eNom, Tucows, and Network Solutions. Once a domain name is registered, the registrar sends the domain name information up to the registry operator that, in turn, enters the information into a centralised registry database. While registrars are responsible for the day-to-day business of selling domain names, registry operators are responsible for maintaining the registry for a top-level domain name. Verisign is the most well-known of all registries, and is the authoritative operator for the top-level domain names com, and net.

A simplified overview of how registrants, registrars, and name servers fit together.

What is domain hijacking?

Domain hijacking (or domain theft) is the practice of changing the registration of a domain name without the permission of its legal registrant. It works by tricking the registrar into updating the name servers of the domain or contact information associated with the domain. The registrar pushes these changes up to the registry, after which others will treat those changes as authoritative. In the worst case, attackers managed to move the domain to a new registrar, making a recovery process far more difficult. In which case your only hope is to appeal to the registrar that lost your domain name, or the registrar the attacker managed to transfer the domain name to, and hope the registrar does the right thing. If that doesn’t help, the only option left is to file a legal complaint with the internet’s governing body, ICANN.

An attacker abusing privileges to push changes to the registry.

Examples

These are some examples of domain hijacking incidents that made the news in the past couple of years.

In 2012, social bookmarking service Diigo lost control of their domain. Attackers managed to transfer the domain to another registrar. As a result, millions of customers couldn’t access the site for over two days.

In 2013, the the Syrian Electronic Army (SEA) hacked the New York Times’ registrar, and updated the name servers for nytimes.com.

In 2013, the domain name of Michael Lee’s graphic design and advertising business, mla.com, was stolen. His business lost about $200,000 in sales, which forced him to lay off personnel. It took him almost two years to get the domain name back.

In 2014, Jordan Reid, a popular lifestyle blogger, had the domain name ramshackleglam.com stolen. She got the domain name back in several days after intervention of her lawyers and the FBI.

In 2015, the domain name of ShadesDaddy was stolen for 11 days. The company lost about $50,000 in revenue, which forced the company to lay off six of their eight employees.

In 2016, criminals hijacked the domain name of a major Brazilian bank. All of the bank’s operations were under attackers’ control for more than five hours. In that five-hour window, customers were redirected to phishing sites, which allowed the attackers to steal the customers’ login credentials.

What is the problem?

Domain hijacking, as explained in the previous section, occurs at the registrar level. Until recently, we had all our domain names managed by multiple registrars. Unfortunately, these registrars compete mostly with each other on price, and security is not their main focus. We identified several issues, listed in no particular order:

No support for multiple users under the same registrant account.

Insufficient authentication validation of requests through phone or email.

No support for two-factor authentication.

No support for multiple authorisation levels, any privileged user can undo security settings.

No two-person (or split-password) rule.

Most registrars only offer a single user account, which doesn’t work for organisations, because employees, who have the passwords, will eventually leave. The domain names, on the other hand, stay with the organisation. Also, most registrars allow any privileged user to undo security settings, allowing them to initiate transfers and update name servers. There is no two-person (or split-password) rule, which means that anyone who has access to the registrar account is able to make updates to the domains, whether it is an attacker who compromised your registrar account or an employee gone rogue.

Lock down all the things!

Before we started talking to candidate registrars, we defined the following requirements:

Registry locks are applied consistently to mission-critical domain names, e.g. blendle.com, and other customer-facing domain names like blendlecdn.com, and blendleimg.com.

Role-based contacts (e.g. “Blendle Hostmaster”) are used to prevent individuals from being targeted by attackers.

Domain names are renewed automatically, such that the window of expiration is at no time less than one year, preventing accidental loss of the domain name.

Multi-user, out-of-band, approval process is used to unlock domain names for updates.

Domain names can be locked at the registrar level using a ‘registrar lock’, which prevents updates, including transfers and deletions, unless the lock is explicitly removed. However, this lock doesn’t mean much for security. If an attacker gains access to your account, they can remove the lock themselves, and make whatever changes they want.

A registry lock, on the other hand, provides much more security, because it prevents updates by any registrar. Removal of this lock requires “out-of-band” communication between the registrar and the registry (e.g. Verisign). It’s a manual process, and thus very costly, which means there aren’t many registrars that have implemented it.

In the past few months, we have talked to many registrars, asking them about support for registrar- and registry-level locks, and unlocking procedures. Unfortunately, we only found handful registrars that could, or were willing to, meet our requirements:

CSC and MarkMonitor have a background in brand- and intellectual property protection, but all offer more or less the same security features. If you are already a Cloudflare customer (on the Enterprise plan), it makes sense to look at their Registrar product. We ultimately partnered with CSC to manage our domain portfolio, and lock down our mission-critical domain names.

Authorisation process

In order to transfer or update a registry-locked domain name, the lock needs to be removed (temporarily). This is what our unlocking procedure looks like:

An administrator in our organisation requests an update (e.g. name server change) to a registry-locked domain name, implicitly requesting the registry lock ) removed. Removal of the lock needs to be approved by each and every designated representative (e.g. legal, management) of our organisation. They are contacted by the registrar via telephone, and required to provide the pre-agreed passphrase. On behalf of the registrar an authorised individual submits a request to the registry operator (Verisign) to remove the registry lock. This individual is then contacted by the registry operator via phone, and required to provide the pre-agreed passphrase in order for the domain name to be unlocked. A time-window opens up in which changes can be made.

Check your domain locks

In order to check whether a domain is locked at the registry level, you could, for example, use Verisign’s whois lookup tool. After you enter the domain name, and hit enter, in the whois record, you find up to four “Domain Status” fields: “Delete”, “Renew”, “Transfer”, and “Update”. Of which “Delete”, “Transfer”, and “Update” are critical for locking your domain. Your domain is registry-locked if the record includes these domain statuses:

serverDeleteProhibited

serverTransferProhibited

serverUpdateProhibited

If the whois record for your domain only includes the mandatory clientUpdateProhibited status, it means the domain is only locked at the registrar, but not at the registry.

Here is the whois record for blendle.com , the domain name most critical to our business. The three “server” statuses indicate that the domain is locked at the registry level.

Whois record for blendle.com.

What we learned

The domain name blendle.com is one of our most valuable assets, as it represents our (online) identity. But just as important are the domain names that we use in our production environment (e.g. APIs, CDN, email).

What we learned is that most registrars aren’t very well-equipped to offer the level protection that we require for these domain names that are critical to our operation. We were somewhat surprised to learn how exposed our domain names really were. For attackers, it takes relatively little effort to compromise a registrar account, and transfer away a domain name, but for an organisation it takes considerably more effort to recover from that situation. This is largely caused by the way most registrars operate. They operate on volume, and thus have little incentive to invest in (expensive) security controls.

We have put our high-profile and mission-critical domain names in the hands of a registrar that has demonstrated convincingly that they take protecting domain names very serious. There are no silver bullets in security, but through security controls and strict procedures we have raised the bar significantly higher for attackers.

It will take some coordination to implement these measures, and, of course, a much heftier recurring fee, but we are convinced that it is well worth the investment. Just consider how even a temporary loss of your main domain name would affect your operation.

If you have any questions, send me a direct message on Twitter or send me an email at koenrh@blendle.com.