Can a simple password stop domain name hijacking?
Marina del Rey (CA) - According to an ICANN report released last month, the most effective means for attacking the integrity of networks without necessarily even using a computer- identity fraud for hijacking registered Internet domain names - could be thwarted by registrars through the implementation of a password exchanged between registrars during a domain transfer.
But one month after the Security and Stability Advisory Committee of ICANN, the corporation responsible for overseeing the Internet’s top-level domain name system, issued its "Domain Name Hijacking" report, progress in securing the domain name transfer process has been characterized as gradual. One roadblock appears to be the slow pace of adoption of a new XML-based transfer procedure called Extensible Provisioning Protocol (EPP), by the directory provider for the .COM and .NET generic top-level domains (gTLDs). Security systems provider VeriSign is that provider, as well as EPP’s principal engineer.
Dave Piscitello, ICANN’s SSAC Fellow, described a particular piece of data used by EPP protocol, called "authInfo", as "a digital authorization that is required before transfers can take place." Piscitello acknowledges that VeriSign has indicated it has already begun moving to EPP protocol for .COM and .NET, as well as .CC and .TV, but has yet to reveal how far along it is in the process. "My sense is that, once all the registrars are implementing EPP and authInfo," Piscitello told Tom’s Hardware Guide, "a significant window of opportunity [for hijackers] will be closed.
"I take great pains to protect my Web site from attack and defacement," Piscitello added. "If my domain is hijacked, it means they could demonstrate I was irresponsible. That’s not a very good thing for me. What kind of credibility does a security consultant or a security company - like a Counterpane or an @Stake - have if their domain’s hijacked ?"
Dan Halloran, ICANN’s deputy general counsel, explained how a normal domain name transfer should work : "Most of these transfers happen completely automatically, without any human intervention, through e-mail. Let’s say I have my domain at Register.com today, and I want to transfer it to GoDaddy. I go to GoDaddy’s site, I say, ’I’m a new customer, I want to transfer my name to you.’ They look up my domain name in the WHOIS, and they send a confirmation to the admin contact as it’s listed at Register.com. If I can prove I control that mailbox by clicking on a link with encrypted code, GoDaddy will take my word for it that I’m the registrant for that name. I pay them the registration fee, and then they initiate a transfer request to the registry."
In 2000, registrar NSI introduced the first edition of Registry Registrar Protocol (RRP), that defined the terms used in a client/server-like exchange between a registrar which sells domain name services, and the registry that maintains DNS itself. VeriSign introduced its own version 2.0 amendment to RRP in November 2003. Registrars have used this terminal-like protocol, based on command verbs and acknowledgement signals, to request data from gTLD directories, as well as to implement database transactions that change registry contents. RRP protocol has no built-in security.
In 2001, VeriSign introduced EPP as an XML document type definition, that generates database transactions that can conceivably rely on the tighter security mechanisms provided by database management systems. EPP’s authInfo field is a password that a person requesting a domain name transfer must first request from his existing, current registrar. The so-called "losing registrar" should theoretically be able to verify the identity of its own existing customer. Once received, this authInfo code would be given to the gaining registrar, which would verify its authenticity with the losing registrar, lending an extra degree of authenticity to the domain name request.
Tim Ruiz, vice president of domain services at GoDaddy.com - by some estimates, the world’s largest TLD registrar - supports the use of authInfo. "It’s something that the registrant could use," Ruiz told Tom’s Hardware Guide, "not to identify themselves but to [certify] that if they have this authInfo code, then they have administrative access to this domain name, and the right to request this transfer. I think if authInfo is implemented correctly and uniquely, as it was intended to be, it could serve as that key." By "uniquely," Ruiz is referring to the capability of registrars and directory providers to generate unique authInfo codes for every domain name, rather than generic authInfo codes that simply identify the registrar in all cases - and that could easily be swiped, transferred, and used again.
Dave Piscitello characterized EPP authInfo as "functionally a password, and you do have to protect it. If you send it in an electronic mail unprotected, it is obviously going over the wire in the clear." With some registrar services, Piscitello noted, two SSL processes can be initiated between the registrant and both the gaining and losing registrars. The registrant receives the authInfo code over the losing SSL channel, and then copies and pastes it into the gaining channel. "You’re the only person that would see it and would be able to treat it in any way other than encrypted fashion," remarked Piscitello.
The .COM and .NET domains are, by far, the largest in the Internet. According to a VeriSign report released this morning, the .COM gTLD alone accounts for 47% of all the world’s registered domain names. The major gTLDs whose directories currently use EPP - .ORG, .BIZ. .INFO, and .NAME - collectively account for only 11% of the DNS market, according to VeriSign.
In an e-mail to Tom’s Hardware Guide late this afternoon, VeriSign acting vice president for naming services, Raynor Dahlquist, stated that although VeriSign started moving its .TV, .CC, and .BIZ domains to EPP in June 2004, it couldn’t begin moving its .COM and .NET domains until June 2005, mainly for two reasons : a lack of desire among participating registrars, and a lack of finalized specifications until just recently. "It would have been ill advised for a TLD as large as .COM or .NET to move its registrars to a fully functioning EPP version until all of the RFCs [IETF request for comment documents] were finalized," wrote Dahlquist.
"Currently, 25% of our total new unit volume is coming to us via EPP commands," Dahlquist continued. "VeriSign, at the request of its registrars, is supporting dual environments for EPP and RRP until all registrars have migrated." Verisign supports more than 450 registrars, he added, all of whom have indicated their support for EPP, although that number renders the company unable to complete the shift from its existing Registry Registrar Protool (RRP) to EPP until December 2006 at the earliest. "Additionally, VeriSign has offered free engineering assistance via a consulting group to assist registrars in making the move to EPP," concluded Dahlquist.
While experts agree EPP authInfo may be the "linch-pin," as Dave Piscitello put it, to finally solving the DNS hijacking problem, it is far from a complete solution. Tim Ruiz pointed out that the WHOIS data that designates contact information for DNS registrants must still be relied upon to determine the name and e-mail address - and often the postal address - of every registrant requesting a transfer. "The problem is, that’s not always real reliable," he told us. "If the legitimate registrant has just made a change to their contact information to update their e-mail address, that information may not immediately be available in the WHOIS. Sometimes the information in the WHOIS is not completely accurate ; it only has to be updated once every 24 hours. So if someone’s trying to hijack that domain name, the gaining registrar may get the wrong information in order to confirm that."
The SSAC report suggests, however, that the ultimate responsibility for maintaining the integrity of the domain name rests with the registrant himself. The report lists 16 things a registrant can do to improve the safety of his DNS name, including keeping WHOIS information up-to-date, and choosing a registrar whose times of operation match the registrant’s own - almost like choosing one’s own bank. It also suggests registrants make full use of EPP authInfo, as well as registrars who implement Registrar-Lock as the default registration status. With Registrar-Lock, the registrant must ask his current registrar to unlock his domain before other administrative operations, such as transfers, can begin. "That way," said Ruiz, "the current registrant has to go into their existing registrar and actually unlock the domain name in order for the transfer to happen. They actually have to make a choice."
Piscitello believes, while domain name hijacking is a major and growing problem, "it is probably not the scale of spam, not the scale of spyware. Domain hijacking is something you can prevent by taking simple measures as a registrant now. And you can measurably improve the way that you protect your domain names. The weak point, really, still remains the registrant. If the registrant doesn’t protect his authorizing information, then he’s going to have some potential vulnerability."