Do you need solid-gold domain name security?

Do you need solid-gold domain name security?

Summary: Network Solutions is opting their high-profile customers in to a $1,850 service to super-lock domains. Make sure they don't think you're in the 1%.

SHARE:
TOPICS: Security
0

If you have a high-profile web site and protecting your brand means protecting your domain name, then it makes sense to expend some resources in order to prevent a hijack of the site. Registrar Network Solutions, part of Web.com, is now offering such a service. called WebLock. The launch hasn't gone well so far.

First, a little background: Back in the middle of the last decade there was a major problem with domain name theft. Through a variety of fraudulent techniques, bad actors could trick a domain name registrar into transferring your domain name to them. Good luck getting it back when that happened.

It took a long time, but to address the situation a new feature was added which is standard with domain names: the REGISTRAR-LOCK option. When you turn this option on, then modification of the domain name or contact details, as well as deleting or transferring the domain, are all prevented. You have to unlock it first, and the procedures for that are intentionally cumbersome. And REGISTRAR-LOCK is free from any honest registrar.

Some time later, VeriSign, the registry for .COM, .NET and some other important top-level domains (TLDs), began offering a service called Registry Lock (not registrar). The idea being to prevent any fraudulent transfers of the domain at the registry level, when any changes to the domain records are requested of the registry:

    ...an authorized individual at the registrar must submit a request to Verisign to unlock the domain name. This requester is then contacted by Verisign via phone and required to provide an individual security phrase in order for the name to be unlocked. This “out-of-band” step protects against automation errors and system compromises.

Network Solutions/Web.com is now offering a service called WebLock, targeted at high-value sites. WebLock implements VeriSign Registry Lock and also implements the same type of added authentication checks on their end. At least two individuals at the customer organization and their contact information are "onboarded" into a special database at Web.com. The organization is given a special nine digit PIN.

Whenever a change is requested for a WebLock-protected domain, Web.com calls the contacts and asks them for the 9 digit PIN. The other contacts in the database for that organization are notified of the change being made. A similar service was just announced by Internet Registration Corporation of Hong Kong for the .hk domain.

Web.com's criteria for selecting sites for WebLock were:

  1. Domains registered to a Fortune 1000 or a Global 5000 company
  2. High Traffic: Domains that fell within Google Page Rank >6 and an Alexa rank of 1-250,000. 

WebLock is not live yet, but Web.com has been announcing it service directly to customers. There's no evidence of it on their site for now. The way I found out was because Brent Simmons, a well-known and respected software developer, received a note from Network Solutions saying that he would be opted into WebLock for his domains with them and that he would be billed $1,850 for the first year and $1,350 for subsequent years. Here is an excerpt of the email sent to Simmons:

Starting 9:00 AM EST on 2/4/2014 all of your domains will be protected via our WebLock Program. Here is how the program works:
  • In order to make changes to your Domain Name's configuration settings you must be pre-registered as a Certified User.
  • All requests for Domain Name configuration changes must be confirmed by an outbound call we make to a pre-registered authorized phone number you establish. A unique 9 digit PIN will be required when we call.
  • A message alert will be sent to all Certified Users notifying the team which Certified User has made the request.
  • In addition WebLock enrolled customers will have access to a 24/7 NOC and rapid response team in the event of any security issues.
To establish Certified Users and pre-register authorized phone numbers and email addresses please call 1-888-642-0265 Monday to Friday between 8:00AM and 5:00PM EST. Please make sure to establish Certified Users with authorized phone numbers and email addresses before launch date. Once established, the unique 9-digit PINs for each certified user will be mailed to you within 45-days.

To help recapture the costs of maintaining this extra level of security for your account, your credit card will be billed $1,850 for the first year of service on the date your program goes live. After that you will be billed $1,350 on every subsequent year from that date. If you wish to opt out of this program you may do so by calling us at 1-888-642-0265.

Simmons thought it must be a scam, so he tweeted a screenshot of the email to Network Solutions, and they tweeted back "It is real! ^rr".

Obviously Web.com screwed up in even offering this service to Simmons, whose two domains are very low-profile and don't come close to meeting the criteria. He was justifiably upset to be automatically opted in to the service, and if web.com has been offering it to other inappropriate customers then they have a problem they have to fix pronto.

I also don't see any justification for opting customers in automatically. But the service itself is not without value and, to a big-time site, would be nice feature to have.

I spoke to Web.com's CTO, Jane Landon. She cleared up many confusing issues and explained the value in the system, but she couldn't explain why Simmons got on the list for the service and argued that the ability to opt out was sufficient for customers who didn't want the service. A story late yesterday at Wired quotes Web.com COO Jason Teichman telling a very different story:

    "I will admit that email is not worded properly, and not worded in any way what represents what we're going to do," says Teichman. "No customer will be enrolled in this program without their consent, period. No customer will have to opt out, period."

So it sounds like in the few hours between our conversations, web.com changed their policy, because the email makes it perfectly clear that customers would be enrolled automatically. I hope they'll be sending out a correction to the same customers soon.

Is it worth $1,850? Some portion of that payment is passed on to VeriSign for their Registry Lock; this is what they mean when they say "To help recapture the costs of maintaining this extra level of security for your account..." Even so, that's a lot of money for the possibility of handling some phone calls. It's only worth it if you do get attacked. Otherwise, it's pure profit for web.com and VeriSign.

Extra Credit: There's a really interesting story in the very first theft of a domain name, that of sex.com. Network Solutions Inc, then basically the network manager for the whole Internet under contract to the US government, plays an ignominious role in the tale. Reporter Kieren McCarthy wrote a book in 2007 about the story called Sex.com. I wrote a review of it at the time which you can read here.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion