By: Michael Diedrick on Mar 8, 2021
Any website build or redesign requires we get involved with the organization’s domain name, and we’ve seen a lot of things that worry us. We’re creating this nice, easy checklist to keep everyone safe and secure.
Domain names and registrars
A domain name is central to absolutely everything an organization or company does online. Email is routed through the domain name, the website is routed through it, any other services like Office365 or subdomains like jobs.example.org are routed through it.
Any domain name has a registrar -- that’s a company that people use to buy their domain name. Normally the costs are $10 - 20/year, and domain registration is a separate cost than hosting or email service. Common companies are Namecheap, Godaddy and Network Solutions. Other companies also offer domain name registration including most hosting companies like Bluehost, hosted service companies like Shopify, and even Google.
Why is domain name security vital?
If someone gets a hold of your domain name, it could be a Game Over situation, and at least there would be a lot of work to get it back, bringing down email, the website and any other services down with it. Thus, any attempt to get it back will be from a random email, and any registrar will have a hard time getting to the bottom of it. (They also don’t want to have someone steal someone’s domain name from a random email address.)
We work primarily with cultural institutions, libraries and museums, and these are considered a high value target by hackers. Stealing an institution’s domain name would be quite the feat, and would allow the hacker to deface the website, intercept email, add software to the website and sit quietly in the background, and more.
A checklist for domain name security:
- Do you have direct access to your registrar account, and can log in and change values if you wanted? (Try it now.)
- Do you have “private” registration where outsiders can’t get your direct email or phone? Some registrars charge for it, good one offer it for free.
- Do you “delegate” access to your domain name as needed, or does your IT and web companies have your password? We never want to hold our clients’ passwords, but we have to if we aren’t delegated access. Us holding a client’s password creates a new vector, and is less secure, even if we’re highly trustworthy. Delegation is free and quite easy, and allows you to undelegate access if you move to a different vendor for email or your website, say.
- Are you using appropriate passwords? Using the name or address of the organization in the password is the most guessable password out there beyond ‘password’ and ‘123456’. (Remember solarwinds123 ?) We would normally suggest a password manager, but since the domain name is a high value target, using whatever system you have for bank passwords might be better. (I may be the only person who slightly distrusts password managers, though, I’d defer to my IT department or company’s processes.)
- Are you using 2-factor authentication (2FA)? Each registrar account should have 2FA -- where when you log in, you have to get a code via SMS or via a separate, central phone app for validation.
- Is your registrar separate from all your other services, like hosting or email? A domain name needs to be fully independently managed -- if you forgot to pay the hosting bill and did your hosting at the same company as your registrar, you risk bringing everything down. Or if someone gets a hold of your hosting password, they could use that to parlay into owning your domain.
And a couple in the bonus section, that aren’t really security, but important to me as I manage my own domain names.
- Bonus: Does your registrar sell your information? I’m looking at you Godaddy. (Godaddy has been doing tomfoolery with their clients over the years, and I don’t trust them.)
- Is your registrar actually easy to use? Or are they so busy selling you more stuff you don’t need that getting to manage the things you need are 10 clicks and furious hunting. And if you do accidentally add a service that you don’t want, then try to remove it, and that cancels your domain entirely -- it’s not a common situation, but administrative issues are the #1 reason we’ve seen registrars fail.
- Bonus: Do you know how to transfer a domain name from one registrar to another? It’s a bit of a process, but if you can, you have the freedom to switch. Like when you realize that Godaddy isn’t really a good friend to have. Or if your registrar starts selling your info, or preventing you from switching registrars for inane reasons.
- Bonus: Is it around $10-12/year for domain registration? I’ll pay more if I prefer to have a foreign, reputable registrar like Gandi, but any regular domain with included private registration should be cheap.
- Bonus: does your registrar have cheap and easy to manage SSL (TLS) certificates? Most sites don't need these, but the easy ability is a good sign for a domain registrar.
For those asking, we use Namecheap for most domains and TLS / SSLs (if we don’t use Let’s Encrypt). We used to use Godaddy because they were easily the cheapest registrar, but then tomfoolery so we left to a registrar who was still the same price. (If Namecheap starts doing any of the tomfoolery that Godaddy was doing, we’ll be on the first ship out. So far, Namecheap has been upstanding and honorable.)
We certainly understand that this seems like yet-another-admin-task, but this one helps you maintain the central core of your organization’s independence: your domain name. Being aware of access, independence, private registration, delegation, and good passwords with 2FA are vital to keep your domain safe and secure forever.