Ask HN: What domain registrars take security seriously?
I (like many others) use email that's hosted on a domain I own. Are there domain registrars out there that take security seriously enough to, for example, be immune from someone faxing a fake ID to support to get access [0]?
I would be happy to hear of email providers, etc, that also take things as seriously. I can't imagine what hell it would be if someone got access to my email...
[0] https://news.ycombinator.com/item?id=29715989
13 comments
[ 4.3 ms ] story [ 45.7 ms ] threadI've actually had a Cloudflare account since 2018, but have never seriously used it for one reason or another. I also own NET shares that have treated me quite well (thanks). Anyways, I digress, but since you've taken the time to respond to me I decided to go digging on the Cloudflare website and see if I could find any policy or promises that could give some higher level of assurance (than what, I'm not entirely sure. Something more than GoDaddy, I suppose? Not that that's what I currently use).
During a somewhat thorough (though admittedly hasty) search of my account dashboard and the help center, the only related thing I could seem to find was this [0] support article which is only tangentially related. It also only seems secure from social engineering attacks because it does not actually reference any human contact. I did also click through 90% of the support contact form (which I'm glad exists!), for whatever that's worth.
Looking at any of the offerings available (Namecheap, GCP, etc), I'm honestly not even sure how to differentiate offerings (no one says they're insecure), except to maybe do basic reputation comparisons. Given the level at which I depend on my various services, it would be reassuring to hear something as extreme as needing a notarized letter for account recovery!
Maybe you can speak to this?
As a complete tangent (not targeted at you): it seems that getting details like this fleshed out is kind of impossible unless you're doing large B2B deals. Somewhat related, I've noticed a large trend towards companies that are difficult to get a hold of (you can see the litany of posts here on HN about it), and companies that pine over the little guys are few. Thinking on it, of the companies that did respond well to requests to support, I can't think of one I don't still use to this day.
Sorry for the wall of text! Thanks for taking a look.
[0] https://support.cloudflare.com/hc/en-us/articles/203471284-L...
Accepting that no domain registrar is entirely secure though.
MarkMonitor is the only registrar that comes to mind but even they have had some incidents and not likely you would just move some personal domains there. They are meant for large organizations.
The rest of them in my experience either aren't a full time registrar (CF/AWS) with odd limitations that change with time or have acquired/merged registrars that have become web2.0 front-ends to old systems they acquired and can barely keep them running. I've tried many registrars in the US and EU and can not find one I have confidence in. Every registrar that has features I like also comes with either stability issues or antiquated technical debt and have lost/let-go much of their technical staff. I am not going to name these registrars because for each of them there will be at least a dozen people here that have had nothing but wonderful experiences with them.
So I guess one could minimize risk by having half of their domains on their first choice and half on the second choice then make sure people know to email them at a domain on each registrar. e.g. Use the second registrar for an email domain that is set as a "backup email" in services that support having two or more email addresses.
I know this does not really answer your question. I do not have a good answer.
But, MarkMonitor does offer the most important security feature, RegistryLock, if supported by the Registry. A registry lock is enforced by the registry, and if you want to make changes to the domain at all, you need to contact the registrar and let them know; then they contact the registry and the registry will contact you during your business hours to validate the request, according to your preset instructions. From what I can tell, it works; we had to wait a day to change our nameservers once cause my boss didn't answer his phone to provide the authentication.
RegistryLock was a for pay feature, and not an insignificant amount.