Ask HN: What domain registrars take security seriously?

9 points by mkeedlinger ↗ HN
I (like many others) use email that's hosted on a domain I own. Are there domain registrars out there that take security seriously enough to, for example, be immune from someone faxing a fake ID to support to get access [0]?

I would be happy to hear of email providers, etc, that also take things as seriously. I can't imagine what hell it would be if someone got access to my email...

[0] https://news.ycombinator.com/item?id=29715989

13 comments

[ 4.3 ms ] story [ 45.7 ms ] thread
I have switched almost exclusively to Cloudflare. I really like the wholesale pricing and security. I'm sure you know this, but enable hardware or software 2FA.
How does 2FA help against the attack vector that someone is faxing a fake ID to your registrar?
I generally like cloudflare, but I've never seen anything that's convinced me they're immune to similar attacks. It would be more convincing to see whatever policies they have for protection, and perhaps more anecdotal evidence.
Cloudflare senior execs are contactable via HN, for now at least.
Hi
Hi John!

I've actually had a Cloudflare account since 2018, but have never seriously used it for one reason or another. I also own NET shares that have treated me quite well (thanks). Anyways, I digress, but since you've taken the time to respond to me I decided to go digging on the Cloudflare website and see if I could find any policy or promises that could give some higher level of assurance (than what, I'm not entirely sure. Something more than GoDaddy, I suppose? Not that that's what I currently use).

During a somewhat thorough (though admittedly hasty) search of my account dashboard and the help center, the only related thing I could seem to find was this [0] support article which is only tangentially related. It also only seems secure from social engineering attacks because it does not actually reference any human contact. I did also click through 90% of the support contact form (which I'm glad exists!), for whatever that's worth.

Looking at any of the offerings available (Namecheap, GCP, etc), I'm honestly not even sure how to differentiate offerings (no one says they're insecure), except to maybe do basic reputation comparisons. Given the level at which I depend on my various services, it would be reassuring to hear something as extreme as needing a notarized letter for account recovery!

Maybe you can speak to this?

As a complete tangent (not targeted at you): it seems that getting details like this fleshed out is kind of impossible unless you're doing large B2B deals. Somewhat related, I've noticed a large trend towards companies that are difficult to get a hold of (you can see the litany of posts here on HN about it), and companies that pine over the little guys are few. Thinking on it, of the companies that did respond well to requests to support, I can't think of one I don't still use to this day.

Sorry for the wall of text! Thanks for taking a look.

[0] https://support.cloudflare.com/hc/en-us/articles/203471284-L...

Cloudflare pricing is tempting but I prefer to have my domain and DNS records to be independent of one another.

Accepting that no domain registrar is entirely secure though.

This is a good question. I have to admit, it only recently occurred to me that my own domain is not by default completely secure from theft. I have focused on "how secure is email-provider-x", or "hosting-company-y", but never the company that actually holds my domain registration. I currently use Amazon for my domains, and I'm not actually sure how vulnerable they are to social engineering attacks. I do remember losing my 2FA device years ago and calling them to get back into my account...which was convenient at the time, but is nagging at me right now.
I am cynical and jaded in this area so please take this with a grain of salt. This is just based on my experience trying out many different registrars.

MarkMonitor is the only registrar that comes to mind but even they have had some incidents and not likely you would just move some personal domains there. They are meant for large organizations.

The rest of them in my experience either aren't a full time registrar (CF/AWS) with odd limitations that change with time or have acquired/merged registrars that have become web2.0 front-ends to old systems they acquired and can barely keep them running. I've tried many registrars in the US and EU and can not find one I have confidence in. Every registrar that has features I like also comes with either stability issues or antiquated technical debt and have lost/let-go much of their technical staff. I am not going to name these registrars because for each of them there will be at least a dozen people here that have had nothing but wonderful experiences with them.

So I guess one could minimize risk by having half of their domains on their first choice and half on the second choice then make sure people know to email them at a domain on each registrar. e.g. Use the second registrar for an email domain that is set as a "backup email" in services that support having two or more email addresses.

I know this does not really answer your question. I do not have a good answer.

I moved my employers domains to MarkMonitor circa 2012 (after NetworkSolutions had an incident, and after I recovered from shock that my boss had used NetworkSolutions for anything after 1999!). They had a pretty high minimum annual spending requirement, so personal domains is out, unless you have an absurd number of them.

But, MarkMonitor does offer the most important security feature, RegistryLock, if supported by the Registry. A registry lock is enforced by the registry, and if you want to make changes to the domain at all, you need to contact the registrar and let them know; then they contact the registry and the registry will contact you during your business hours to validate the request, according to your preset instructions. From what I can tell, it works; we had to wait a day to change our nameservers once cause my boss didn't answer his phone to provide the authentication.

RegistryLock was a for pay feature, and not an insignificant amount.