Exclusive CloudFlare will this Wednesday launch its own internet domain registrar for wealthy customers who simply cannot have their websites hijacked.
The business model of most registrars – the organizations you typically buy domain names from – is based upon volume, ie: selling as many names as possible and making the process as easy as possible to use. That flexibility leaves enough room in domain registration systems for hackers to exploit.
Even high-value domains are mostly still managed by consumer-grade registrars, according to CloudFlare, which says it has "noticed a rise in domain hijacks over the past few years."
The issue is that anyone with access to the registrar account – such as an attacker or former employee – can take complete control over a domain, and as such could redirect its traffic, alter its web content, hold the domain hostage for a ransom, or even compromise the emails intended for the domain's legitimate owner.
It is ironic that for large organizations that tend to need six or more people to sign off on a business change, a single username and password pair is all that's needed to login and alter the settings of the corporation's web domains. CloudFlare's registrar intends to make it harder for changes to be made.
Matthew Prince, CloudFlare's CEO, told The Register how "two and a half years ago, we got a frantic call from the CTO of the New York Times, after a hacking group – attributed to be the Syrian Electronic Army – hacked its registrar, Melbourne IT, and were able to take over the domain of NYTimes.com."
The New York Times' website was replaced with a message written by miscreants, but behind the scenes, according to Prince, "every email that had been sent to anyone at the New York Times was potentially redirected to a malicious server – a server controlled by this hacking group, and when you're an organization receiving as many sensitive emails as the Times, this is pretty worrisome."
As Prince described it, "there wasn't a tonne that we could do to help" in that situation. "If a hacker compromises your registrar and takes over your domain, they have the keys to the kingdom and can use those to unlock everything. Really, they can take over your entire business," said Prince.
"We set out to become our own registrar to protect our own domains from being hijacked," he added, "and then protect the domains of high-value organisations and customers." Prince stressed that "this isn't for the ten-dollars-a-year crowd," but was more of an add-on for those spending "$5,000 a month" with CloudFlare.
CloudFlare's registrar will manage web names for its customers, and ensure REGISTRAR-LOCK and REGISTRY-LOCK are available to prevent hackers from moving domains to a different registrar – as well as automatically renewing domains (which even Google doesn't always remember to do), and ensuring DNSSEC is enabled.
"Intentionally, we're not going after the mass-market," said Prince, "but for the largest customers that really care about keeping control of their domain. The domain is a critical part for organizations that really care about security."
Roughly six months ago, ICANN awarded registrar status to CloudFlare. Although the San Francisco biz is the world's 1,910th registrar, it will be "the first to say 'Let's build this from the ground up to be as secure as possible'," said Prince.
That building started with "implementing a change control process" that does not attempt to be streamlined or convenient at all costs, nor offer a one-size-fits-all user interface.
Instead, CloudFlare will allow customers to "specify and build their own change control process ... if an organisation requires six different individuals from six different departments to all email in their changes, and then verify by faxing," then CloudFlare will let them do that. ®
Disclosure: El Reg is a customer of CloudFlare and uses its content-distribution network.