[BBLISA] domain registrar security

Tom Metro tmetro+bblisa at vl.com
Sat Apr 3 01:13:06 EDT 2010 

Bill Bogstad wrote:
> Tom Metro wrote:
>> ...what are the best practices for maximizing your DNS security.
> 
> You could become an accredited domain registrar:
> 
> http://www.icann.org/en/registrars/accreditation.htm
> 
> Barring that, you are going to be subject to social engineering
> whoever you use.

Yes, I know. I was asking about DNS, rather than domain registration, 
but as you brought it up, I'll split off a thread.

Others have suggested the "self-registrar" option, but at - I believe - 
$8K per year, it isn't practical in most cases.


> It seems like you need to find one who charges enough money to make it
> profitable for them to institute real security mechanisms.
> 
> The thing is you are not going to get this for $10-20 dollars a year...

Agreed, and that's fine. Paying more for a high value domain is 
perfectly reasonable.

In my case I wasn't using Dreamhost because they were cheap. I was using 
them because they provided precisely the domain registrations features I 
thought I wanted for a fair price. (Years ago I used GoDaddy, but their 
used car salesman approach to things drove me away.)

It was my mistake in not realizing the appreciation my domain had 
undergone in the 15 years I've owned it (I was aware to some extent due 
to offers I've received, but apparently even those undervalued it), and 
not realizing just how determined a thief might be, such that I needed 
to be concerned not only with my own security practices, but the 
internal practices of the vendors I choose.

Sure I'd heard of domain thefts before. But they were of popular words 
that would draw high traffic or recognizable company names, not random 
two-letter domains. I hadn't heard that there was a recent rash of 
thefts happening targeting such domains.


> Perhaps one who requires you to submit SSL client certificates when
> you register your domains with them.

Yes, that's a thought, and something that could be done in a relatively 
user-friendly manner. Probably easier than doing PKI via email.

On commenter on a domain theft article recommended Internet.bs - the 
receiving registrar in my domain theft - as a good high-security 
registrar. They supposedly use two-factor authentication from Verisign.

The problem is that unless the people at the registrar are superbly 
trained, the registrar is still the week point.

I'd rather see a system where the domain owner has to go through a PKI 
exchange with the "super registrar" (for .com, Verisign) in order to 
unlock a domain for transfer. The super registrar encrypts a code using 
your public key and you have decrypted it and send it back encrypted 
with their public key.

Then I can take my private key, put a long password on it, stick it on a 
couple of USB thumb drives, and lock it in a safe (one onsite and one 
offsite).

This way no one, not even my registrar, can "push" through a transfer.

Of course the super registrar then becomes the point of attack, but it 
is more easily hardened. The simple fact that they only have to deal 
with other registrars, and not random, unknown end-users, makes it 
harder for an attacker to attempt social engineering.

Short of this, any registrar that claims to have high security is merely 
creating a facade that their employees (certainly their developers) have 
the ability to subvert.


> Or for the ultimate in security make it like PGP key signing.  You
> have to show up in person with two photo ids in order to make any
> changes to your domain.   Maybe an RSA SecurID
> card for two factor identification.  Perhaps a little expensive, but
> how much is control over your domain worth?

This is what should be done as part of the fall-back system if you've 
lost your key.

Dean Anderson wrote:
> Using per-user SSL certificates doesn't improve one's ability to 
> counter social engineering efforts; That either makes no change...

Correct.


> What happens when you lose the certificate or the password? 
> 
> In any case, when you lose the login password or cert, someone has to
> identify the owner based on paperwork: drivers license/id card,
> corporate documents; billing account numbers and payment amounts.

Correct. You lose the key, you have to call the locksmith and wait for 
the process to happen.

Rarely is there a need to transfer a domain quickly. If you've lost your 
keys for the easy/fast way, then you suffer through a slow paperwork 
shuffle. I'm good with that.

One could make the case that domain transfers should really have a grace 
period enforced by the super registrar, so that all informed parties 
have had their opportunity to object.

If I remember correctly, it actually used to work that way in the 90's.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

More information about the bblisa mailing list