- Email: [email protected]
The guide to safe domain name registration
FEATURE Resources • Lawrence, Eric. ‘HTTPS Security Improvements in Internet Explorer 7’. Microsoft, 31 Jan 2006. Accessed Jul 2011. . • ‘Infosecurity Europe: Serious structural Internet security flaw revealed’.
InfoSecurity, 29 Apr 2009. Accessed Jul 2011.. • Ray, Marsh. ‘Authentication Gap in TLS Renegotiation’. Extended Subset, Nov 2009. Accessed Jul 2011..
The guide to safe domain name registration
• ‘Configuring HTTP and HTTPS’. MSDN. Accessed Jul 2011. • Mills, Elinor. ‘Online banking hit by thieves’. CNET News, 22 Feb 2011. Accessed Jul 2011. .
Thomas Vollrath
Thomas Vollrath, 123-Reg Registering a domain, whether for business or consumer use, is a straightforward and hassle-free process. But security breaches – such as domain hijacking and the misuse of personal details – can be an unexpected cause for concern. So what are the potential pitfalls of domain registration and how do you avoid them when making and maintaining your domain name registrations? Claiming ownership of a domain name is an extremely simple process – just search, choose the appropriate domain and pay. Unfortunately, as with many other online activities, there are potential issues that should be considered before undertaking the process.
“All domain names expire after a fixed period of time, usually after one or two years. Should a business let the domain lapse, even fleetingly, it may be purchased, perfectly legally, by another party” From the outset, it’s extremely important to research the registrar – the company through which you are considering registering the domain. Some registrars, for example, set terms and conditions that incorporate hidden costs and even rights-of-ownership implications. September 2011
If a business falls foul of these and then wishes to transfer its domain, it may be open to incurring substantial costs just to do so: often, the fee can be more than the price of a year’s domain registration. Furthermore, it’s not unheard of for businesses to discover that they are not the legally registered owner of the domain – the registrar is – which removes the option to move the domain without further financial penalties, or might even mean losing the domain altogether.
Checking the small print It is therefore extremely important to check the small print for any reference to these issues, as well as changes in renewal prices and also the ‘reserved right to change the Terms and Conditions’ at any point. Although the registrar will be legally obliged to send out the amended terms, and more
often than not these changes are minor, it’s very important that these are again read, understood and, if in any doubt, questions are asked. It’s also advisable that any conversation is confirmed and outlined in a satisfactory email that can be later relied on if needed. An additional concern is the financial stability of the domain registrar itself. If it has to go into administration or declare bankruptcy, the original domain owner may find it extremely problematic to renew the domain name when it reaches its expiry date. Clearly, losing a domain name can have very serious ramifications for the business in terms of brand and site recognition, which in turn can have a knock-on effecton issues such as turnover and profitability. Unfortunately this is isn’t the only way a domain name can be lost. Domain hijacking occurs when the ownership of a domain is transferred without the permission of the original registrant. This happens when personal information is acquired about the domain owner, impersonated, and then used to persuade the domain registrar to amend the registration details and transfer it to another
Computer Fraud & Security
15
FEATURE registrar where it can then be sold to a third party or, in the worst-case scenario, used illegally. Losing an established online identity in this way can lead to theft of electronic mail services and the domain name being used to facilitate activities such as phishing, where a legitimate website is replaced by an identicallooking site that records private information such as login credentials. These personal details can then be used in fraudulent transactions and identity theft.
Expiring domains A further element that domain owners need to be aware of to protect themselves is domain expiration. All domain names expire after a fixed period of time, usually after one or two years. If a busi-
ness lets the domain lapse, even fleetingly, it may be purchased, perfectly legally, by another party. On the plus side, many registrars do offer some sort of grace period where it can be repurchased, although, these periods do usually change depending on the Top Level Domain (TLD) type. For example, a .com will usually have a grace period of around 30 days and a .co.uk of around 90, but, a .de extension will become openly available on the day following expiration. It’s just a further element to be mindful of when making a purchase. Domain names also shouldn’t be registered using personal details such as home addresses and mobile numbers, primarily due to the potential ‘hijacking’ potential. It is possible to purchase privacy services, where details such as names and numbers can be hidden, for just a few pen-
nies a day. Businesses should be aware, however, that the availability of these services is also dependent on the TLD – .com domains can legally remain anonymous but, .co.uk domains, which are used commercially, cannot and trading businesses are obliged, by law, to show at least their trading address. Despite the growing risks, the majority of problems can be avoided by using an established and recognised registrar with experience of these issues. This will also usually ensure that all processes such as renewal are streamlined and simple for the end user.
About the author Thomas Vollrath is MD of the Webfusion Group, which includes registrar 123-Reg. He holds a BA from Franklin College in Switzerland and an MBA from Long Island University, New York.
Secure knowledge Wendy Goucher, Idrach In most civilizations, easy access to information, especially in the written form, is a recent phenomenon. In the days when slavery was a cultural norm, one way to maintain control was to ensure the slaves never learned to read. Those owners who defied that stance were sometimes ostracised from their community as there was the fear that these educated slaves would spread rebellion to other estates. It was not reading itself that was feared – it was the access to information that the skill gave. With the advent of moving pictures and home-based visual entertainment in the form of television, the information that could spread extended to the visual. Those who witnessed the pictures from Vietnam in 1972 of a young girl, Phan Thi. Kim Phúc, fleeing from a napalm attack will always remember it. It was a powerful image that won a Pulitzer Prize for cameraman Nick Út. For younger people, their key image may well be the plane flying into the Twin Towers or the flowers carpeting the gates of Kensington Palace after the death of Diana, Princess of Wales. All of these carry information and it has never been so easy to access it 16
Computer Fraud & Security
– even if it’s not always fully understood. Daytime television has many examples of confessional and confrontational programs where participants are encouraged to share the most intimate details of their lives with the viewing public. As a consequence, the idea that no secret is too personal not to be shared with the nation has seeped into the public psyche.
Wendy Goucher
ment of technology that enables large amounts of information to be stored on small media makes this removal possible and the likelihood of detection is commonly felt to be low. However, that is to put the blame too squarely at the door of technology and end users. As with any complex problem the issue is rarely that simple.
Leaking information
“The message was clear – security is important and breaches undermine all other work”
In this context it can be no surprise that significant and sensitive information is leaving organisations at near-unprecedented rates. Of course, the develop-
The attitude to information enshrined in the organisational culture affects its security. In particular, where the company or division is – or until recently has September 2011
InfoSecurity, 29 Apr 2009. Accessed Jul 2011.
The guide to safe domain name registration
• ‘Configuring HTTP and HTTPS’. MSDN. Accessed Jul 2011
Thomas Vollrath
Thomas Vollrath, 123-Reg Registering a domain, whether for business or consumer use, is a straightforward and hassle-free process. But security breaches – such as domain hijacking and the misuse of personal details – can be an unexpected cause for concern. So what are the potential pitfalls of domain registration and how do you avoid them when making and maintaining your domain name registrations? Claiming ownership of a domain name is an extremely simple process – just search, choose the appropriate domain and pay. Unfortunately, as with many other online activities, there are potential issues that should be considered before undertaking the process.
“All domain names expire after a fixed period of time, usually after one or two years. Should a business let the domain lapse, even fleetingly, it may be purchased, perfectly legally, by another party” From the outset, it’s extremely important to research the registrar – the company through which you are considering registering the domain. Some registrars, for example, set terms and conditions that incorporate hidden costs and even rights-of-ownership implications. September 2011
If a business falls foul of these and then wishes to transfer its domain, it may be open to incurring substantial costs just to do so: often, the fee can be more than the price of a year’s domain registration. Furthermore, it’s not unheard of for businesses to discover that they are not the legally registered owner of the domain – the registrar is – which removes the option to move the domain without further financial penalties, or might even mean losing the domain altogether.
Checking the small print It is therefore extremely important to check the small print for any reference to these issues, as well as changes in renewal prices and also the ‘reserved right to change the Terms and Conditions’ at any point. Although the registrar will be legally obliged to send out the amended terms, and more
often than not these changes are minor, it’s very important that these are again read, understood and, if in any doubt, questions are asked. It’s also advisable that any conversation is confirmed and outlined in a satisfactory email that can be later relied on if needed. An additional concern is the financial stability of the domain registrar itself. If it has to go into administration or declare bankruptcy, the original domain owner may find it extremely problematic to renew the domain name when it reaches its expiry date. Clearly, losing a domain name can have very serious ramifications for the business in terms of brand and site recognition, which in turn can have a knock-on effecton issues such as turnover and profitability. Unfortunately this is isn’t the only way a domain name can be lost. Domain hijacking occurs when the ownership of a domain is transferred without the permission of the original registrant. This happens when personal information is acquired about the domain owner, impersonated, and then used to persuade the domain registrar to amend the registration details and transfer it to another
Computer Fraud & Security
15
FEATURE registrar where it can then be sold to a third party or, in the worst-case scenario, used illegally. Losing an established online identity in this way can lead to theft of electronic mail services and the domain name being used to facilitate activities such as phishing, where a legitimate website is replaced by an identicallooking site that records private information such as login credentials. These personal details can then be used in fraudulent transactions and identity theft.
Expiring domains A further element that domain owners need to be aware of to protect themselves is domain expiration. All domain names expire after a fixed period of time, usually after one or two years. If a busi-
ness lets the domain lapse, even fleetingly, it may be purchased, perfectly legally, by another party. On the plus side, many registrars do offer some sort of grace period where it can be repurchased, although, these periods do usually change depending on the Top Level Domain (TLD) type. For example, a .com will usually have a grace period of around 30 days and a .co.uk of around 90, but, a .de extension will become openly available on the day following expiration. It’s just a further element to be mindful of when making a purchase. Domain names also shouldn’t be registered using personal details such as home addresses and mobile numbers, primarily due to the potential ‘hijacking’ potential. It is possible to purchase privacy services, where details such as names and numbers can be hidden, for just a few pen-
nies a day. Businesses should be aware, however, that the availability of these services is also dependent on the TLD – .com domains can legally remain anonymous but, .co.uk domains, which are used commercially, cannot and trading businesses are obliged, by law, to show at least their trading address. Despite the growing risks, the majority of problems can be avoided by using an established and recognised registrar with experience of these issues. This will also usually ensure that all processes such as renewal are streamlined and simple for the end user.
About the author Thomas Vollrath is MD of the Webfusion Group, which includes registrar 123-Reg. He holds a BA from Franklin College in Switzerland and an MBA from Long Island University, New York.
Secure knowledge Wendy Goucher, Idrach In most civilizations, easy access to information, especially in the written form, is a recent phenomenon. In the days when slavery was a cultural norm, one way to maintain control was to ensure the slaves never learned to read. Those owners who defied that stance were sometimes ostracised from their community as there was the fear that these educated slaves would spread rebellion to other estates. It was not reading itself that was feared – it was the access to information that the skill gave. With the advent of moving pictures and home-based visual entertainment in the form of television, the information that could spread extended to the visual. Those who witnessed the pictures from Vietnam in 1972 of a young girl, Phan Thi. Kim Phúc, fleeing from a napalm attack will always remember it. It was a powerful image that won a Pulitzer Prize for cameraman Nick Út. For younger people, their key image may well be the plane flying into the Twin Towers or the flowers carpeting the gates of Kensington Palace after the death of Diana, Princess of Wales. All of these carry information and it has never been so easy to access it 16
Computer Fraud & Security
– even if it’s not always fully understood. Daytime television has many examples of confessional and confrontational programs where participants are encouraged to share the most intimate details of their lives with the viewing public. As a consequence, the idea that no secret is too personal not to be shared with the nation has seeped into the public psyche.
Wendy Goucher
ment of technology that enables large amounts of information to be stored on small media makes this removal possible and the likelihood of detection is commonly felt to be low. However, that is to put the blame too squarely at the door of technology and end users. As with any complex problem the issue is rarely that simple.
Leaking information
“The message was clear – security is important and breaches undermine all other work”
In this context it can be no surprise that significant and sensitive information is leaving organisations at near-unprecedented rates. Of course, the develop-
The attitude to information enshrined in the organisational culture affects its security. In particular, where the company or division is – or until recently has September 2011