Wednesday, 26 July 2017

Nominet Domain Lock

Nominet have a new service called domain lock, and it is described here.

A little while ago I got an email about this and was puzzled, not only that it was a chargeable service, or the disproportionately high cost, but also that it seems to be targeted at the registrars and not the registrants.

It looks like a lock that stops certain things, like change of DNS or registrant details, unless/until unlocked. It looks like the unlocking is done by the registrar. I would have expected locking to be tied to a 2FA that is known only to the registrant, but reading it, that does not seem to be the case.

The email explained, if I remember correctly, that the idea was to stop any risk of things changing without authorisation. That is odd, as surely any unauthorised change would mean someone was being negligent (possibly Nominet) and that the change can be quickly corrected.

It also does not seem to protect against DNS injection attacks, etc. This is something DNSSEC should do, and is something Nominet do not charge for.

As a registrar, we have ability (acting on our customer's authority) to make changes to a domain. There is the risk that our security checks are not good and we take instructions to make a change from someone that is not the registrant. We are careful, obviously. We have actually added two factor authentication to our systems (free of charge) to help our customers have the assurance that we would not fall for such scams. But having 2FA from us to nominate seems like a pointless step, if we lacked good security, we'd take bogus instructions, unlock the domain, make the change, and lock it again.

Indeed, one of the assurances registrants have at present is that, if they fall out with their chosen registrar, they can go to Nominet to change registrar and details on the domain directly for a fee. This means rogue registrars cannot hold people to ransom in any way. The domain locking feature seems to undermine that - as there cannot be any way to bypass the registrars domain lock by pleading to Nominet, obviously. If that was possible then it would make this service useless.

So I asked Nominet, listing some of the ways a domain could be changed without authority of the registrant or registrar... I really struggle to find many where Nominet would not already be negligent to allow such a change. But I asked about...
  • If the police ask for a domain to be shut down (I say "ask" as I am not sure proper legal authority to do so always exists or that they always present it in such cases)
  • If some copyright related notice requests a domain to be shut down
  • A court orders nominate to change DNS or other details
  • If someone takes a case to DRS and the registrant loses the case and domain ownership is to be transferred
  • If the registrar does not pay Nominet fees and the domain becomes overdue
Of course, if the registrar stops paying the domain lock fees, does it automatically unlock too?

I have not even had an acknowledgement of my questions, let alone a reply. I assume none of those cases are in fact "protected". Yet, dubious allegations sent to the police against a domain holder, or even hacking one of their pages and then sending allegations, or faking dodgy email from a domain, is one way for someone to "take down" a major domain if they want to, so something to protect against.

Can a company that has the responsibility for the integrity of a database really say "that's a nice domain, it would be a pity if someone was to make an unauthorised change to it, wouldn't it?" and start asking for such a large sum to do its job and protect the integrity of the database?

Have I missed the point of this "service" somehow? Maybe someone can explain the logic here...

10 comments:

  1. Of course it is a protection racket... they are charging *more* to protect the record in the database than they charge for the record living in the database!

    I find it absolute madness that they deprecate (and then remove) the PGP-based Automaton system in favour of a 2FA system when the PGP-based Automaton system actually had a proven track record of security.

    I do not believe that Nominet have ever published details as to the when, where and how any specific domains have ever been 'compromised' in the manner with which the Domain Lock service would have protected them.

    ReplyDelete
    Replies
    1. I am glad it is not just me that finds this "odd"!

      Delete
  2. I think Nominet is kind of wrong on this one.

    CIRA and Verisign (registries of .ca and .com respectively) offer a registry lock feature and it's geared towards the registrants/owners of domains. The idea being a compromised domain register couldn't hijack the nameserver or DNSSEC records of a domain unless they [the attacker] socially engineered the registry or had a rogue insider at the registry. It's designed to protect the domain from a hack of the register and can online be unlocked by the registrant/owner of the domain.

    Domain register hacks have happened before. Remember Melbourne IT and New York Times?

    http://www.nytimes.com/2013/08/28/business/media/hacking-attack-is-suspected-on-times-web-site.html

    If you do a whois on google.com (as an example) you will see serverDeleteProhibited, serverTransferProhibited, serverUpdateProhibited. (This is the registry lock)

    I feel since that CIRA and VeriSign have no public registry management interface, that the locking and unlocking process are done manually by a human (I know the latter costs several thousand dollars per year per domain) and that probably justifies the high cost. I feel a option using PGP or TOTP with offline backup codes would be adequate.

    ReplyDelete
  3. Replies
    1. Standard sed, regex, style edit command, also common on things like irc where you cannot edit what you sent. Means substitute "online be" with "only be", i.e. in his comment he made a typo.

      Delete
    2. That exact 'substitute' command syntax takes me back to the first ever text editors that ever used, from the 1970s, on DEC mainframes. Wave of nostalgia.

      Delete
  4. The particularly interesting thing about the Nominet domain lock is that it isn't a new product - Nominet launched a domain lock service several years ago where the registrar had to authenticate to Nominet over the phone using a passcode in order to unlock the domain.
    What Nominet have now done is to extend the existing online services 2FA (which is now mandatory for registrars) to the domain lock (thereby removing the manual element and reducing their costs) and re-launch the domain lock services as if it is something new whilst also silently increasing the price by 20% (£75/year to £90/year).

    Verisign and other registries have similar commercial services for their registries. The Verisign service is called "Verisign Registry Lock Service" and is different from the normal lock/unlock when making changes on a domain.

    ReplyDelete
  5. Nominet does seem to have gone crackers here, or are they just simply taking the piss? Asking for £90 to fulfil the responsibilities that they already have anyway? That is what it seems like to me. They haven't said the logical implication yet - "we have thick / complacent staff and inadequate security and quality procedures, so you need to worry and we really do need to be paid £90 to do our jobs properly". No, Nominet, I trust you to do the right thing always and so I don't feel any need to cough up this, er, protection money, that's right isn't it? Oh no sir, honestly, we genuinely are that crap, you'd be mad to trust us, so you really had better pay up just to be safe. Is this a Bremner, Bird & Fortune sketch that I've fallen into?

    Presumably someone could remind Nominet that if their stupid staff fail in their duty to act properly and protect customers at all times diligently then they possibly could face action for damages? (For all I know. Where's Neil?)

    Unbelievable. I naively thought they were better than this.

    ReplyDelete
  6. And regarding the lock services of other outfits, which I have used in the past, in those case I just treated it as a way of registering _your own intent_ with the registrar, that all requests for changes should be binned straight away. A case might be where f a rogue employee at your own organisation sends an email to the registrar that uses the established contact details, or if another registrar tries to kick off a transfer process. Just like a safety catch over a button. You have to do two actions to do the bad thing rather than just one. Turning the lock switch on/off just amounted to a flag set table in their website control-panel UI, and no human staff faffing about or expense was involved. I don't remember ever paying anything for such features, or anyway if it was something, it was peanuts in some cases.

    ReplyDelete