Cloudflare TV

Securing Your Registrar Account

Presented by: Val Vesa
Originally aired on June 10, 2020 @ 5:00 AM - 5:30 AM EDT

If you already own at least one domain name or maybe managing tens already, this is an intro into understanding simple methods of securing your registrar account, as it is the first gateway an attacker has to go through, to steal your domain name and hijack your DNS records.

English
Registrar
Security
Tutorials

Transcript (Beta)

Good morning, good afternoon, or good evening, depending where you're from and watching this live or not.

But if you are watching live, I just want to make sure that you pay very good attention because there's going to be some interesting things happening during this segment.

Now, today, we're going to talk about securing your registrar account.

And allow me five seconds to introduce myself. My name is Val Vesa.

I'm the community manager here at Cloudflare. And I have some background in web hosting, domain registration, thus the topic of today's segment, website security, but a huge passion for photography.

That would be the number one thing I would always want to do if somebody would say, you know, you can only do this.

Okay, today, as I said, we're going to go over 10 steps of how to secure your registrar account, your domain registrar account.

And if you have any questions and you're watching this live, you can please email us at livestudio at Cloudflare.tv.

And I'm just switching on my email now because I'm going to be watching.

And please pay attention. It's very important that if at the particular moments in our segment today, when I will say so, if you know the right answer and you send the first email, remember the first email that comes in is going to get a free Cloudflare t-shirt, okay?

Shipped to you wherever in the world you are. Of course, with all the lockdowns and transportation issues now, you're going to have to maybe wait a few days, few weeks, but we'll get it to you.

So again, pay attention to the first correct answer.

Only if you're watching this live, send an email to us with the right answer, you'll get a free t-shirt.

Now moving on, the first step out of our 10 steps to protect your registered account is always make sure you assign domain ownership to the corporate entity.

What does it mean? That means that if you register a domain name and you're a business, you're DBA, LLC, whatever, you're a corporate entity, make sure that the domain name ownership is always registered for that corporate entity, not for your friend that works in the IT department, not for your colleague that has better experience registering domains.

Make sure you always go through the proper channels and register that domain name to your company.

And that's because there's a risk. If a domain name is registered on some employee's entity or identity and they leave the company, now guess what?

They have access to your company's registrar, meaning they can switch DNS in a second and your website and your business basically disappears from online.

We've seen this happening every day. So step one is very, well, all of the steps are important, but step one is really important.

Also because reclaiming ownership for your domain could take years and cost a lot of money, paying a lot of lawyers and so on.

A domain name, again, should always be registered to the corporate entity.

If online anonymity is an issue for you, you can always activate domain privacy, a simple and inexpensive way to hide your personal details.

And I do want to take a second and let you know that Cloudflare Registrar has a free domain privacy policy.

So all of the domains registered with us get the privacy service for free.

Now, moving on, sorry for that mouse going into the screen. Step two is always use a trustworthy domain registrar.

We talk about trust in our field, in the field of online services or in the field of security services or anything like that a lot.

Trust is a base, a foundation for anything you do online. So many things happen when you don't, when you cannot meet a person face-to-face, when you cannot exchange money for service face-to-face.

So trust is very important. The first step when you actually exist as an entity online is registering your domain name.

As I said, make sure you do that in the first step on your corporate entity.

And also the second step is make sure you don't just go to anybody to register your domain name.

Use a reputable domain name registrar, not a small scale business, which has a higher chance of going out of business, thus placing your domain name at risk.

Choose a provider who has experience, choose a provider you find a lot of good reviews about, choose a provider that is authorized and not least beware of hosting companies.

My personal experience is that many hosting companies also sell domain name registration.

So you would get, you go to their website and you see, you know, buy your $5 a month, one gigabyte unlimited transfer hosting, right?

You see this all the time on Google search results pages. Now, if they drop in their free domain name when you buy, just imagine if you buy a $5 a month of web hosting per month, and you also get a free domain name with it.

When a domain name registration, taking it from directly from the register would be maybe eight, nine, seven, 10, depends on the extension.

That's already a cut in profits for the hosting company trying to lure you in with a good offer, right?

You're getting a free domain too.

So be, you know, pay attention to these things because you want to check that they actually registered for the domain name and that they registered for the description name details you send them so that the domain name is not lend to you.

So you use it, you know, for the duration of your service contract with them, but actually the domain name is registered under your corporate identity.

This is very important.

Again, what we talked about in first step. Moving on, enable domain locking.

Now, this is important. You see that diamond icon there.

This is the first moment in this presentation where one of you, if you watch live, will get a free t-shirt, a Cloudflare t-shirt.

Enable domain locking. What does it mean?

So I will tell you what it means, but if you go to your registrar right now, your registrar page, and you send an email to livestudio at Cloudflare .tv with a screenshot of the portion of your dashboard that has registrar lock on it.

Hopefully you'll send yours and not somebody else's. You can hide away the actual domain name.

That's not very important. I'm not going to be sharing the email with anybody anyways.

So if you do a full screenshot, that's also okay. But if you show to me that you know where to look at, what to look that for, I will send you a free t-shirt.

Okay, moving on. I will explain now for everybody else who doesn't want to play this game.

There's another thing most people forget to do once they register a domain name.

So as we said, it's important to get your domain ownership on the corporate entity.

It's also important to use a trustworthy domain registrar.

And the next step you should do is always make sure you have a registrar lock on or client transfer prohibited, that depends.

The wording is different, but it means the same thing.

That's verifying that the domain name cannot suffer any changes, any transfers, unless you approve it and unless a specific code is issued and entered on the party that wants to transfer that domain to them.

So for example, if you have your domain name registered with GoDaddy and you want to move your domain name to Namecheap or from Namecheap, you want to move it to GoDaddy or from Namecheap, you want to move it to GoDaddy again.

So all of these steps, you need to make sure that the moment you register your domain or you transfer it in, you apply domain locking to it.

I'm checking my email, boom. Somebody sent already an email, so give me a second.

Okay, that's a question that we're gonna answer at the end of the presentation, but that's not something about the main locking screenshot that I was looking for, Prashit, so thank you.

Actually, we have a winner.

Prashit Derokukbar, sorry if I'm pronouncing this wrong, did send me a screenshot of his domain name theft protection.

So as I said, the wording, it depends on every registrar, but he did send me a screenshot that says theft protection is enabled.

So Prashit, I will be coming back after this show and I will email you to let you know how you can get your free t-shirt.

Register lock, also known as domain locking, is a security feature offered by all registrars.

So you should be finding this in your registrar dashboard. It could be having a different name like we've just seen with Prashit's case here.

And it helps safeguard domain names from unauthorized changes, also a common practice in domain hijacking activities.

Now moving on, when you start, so when you first register a domain name, you might be entitled to think, well, maybe I'm not gonna be doing a big thing.

Maybe I'm not gonna start something really huge with this thing.

So maybe just go with one year or maybe go with two years of registration.

My recommendation is register your domain name for 10 years, up to 10 years should be allowed by almost any registrar.

And usually it's something that has to do with us people forgetting things.

If you forget to renew your domain name, you run the risk of losing it to someone else.

And a missed domain name renewal can lead to all kinds of troubles.

Just imagine getting an email that says, oh, by the way, you should register your domain name again, or you should extend your domain registration after the first year.

And maybe you're on vacation, or maybe you're, I don't know, on a flight, and you missed that email, that actual email.

Now, I don't know about how your inboxes looks like, but my inbox is pretty long, and there's a lot of unread emails in there.

And sometimes I miss important stuff.

Sometimes I miss, like I said, the main reminders. Sometimes I miss invoices reminders that I have to pay and so on.

And I'm sure you should be experiencing most likely the same thing.

So my recommendation is go for the maximum your registrar allows, which again should be up to 10 years.

And if you avoid shorter registration periods at all costs, then that also helps you not think about the specificity of your domain name, but think about your business.

Think about how you can grow your business, anything that has to do with the content you put online, research and so on, but not think about, oh my God, is my domain up for renewal and when?

Because if you remember something like registration, 10 years, put it in the calendar, and then hopefully you live long enough and healthy and everything is perfect.

So that in 10 years, there's gonna be no issue to renew it again. Okay, moving on.

Step five in our list of how to protect your registrar account is verify the domains associated email.

Now, one of the biggest mistakes you can make when registering a domain name is to use an older email address or an unused email address.

Specifically, if you're using services like Hotmail, Yahoo, Gmail, these are accounts that need your participation every, at least, I guess, six months, three months, it depends, but you need to be able to re-login all the time so that you actually show these three providers that you're using that email address.

So make sure you verify what email address you use when you register your domain name, because if you're using something like, whatever, johndoe at yahoo.com, and you don't log into that email address for six months, I hope six months is correct, I didn't verify this, but let me know it's not.

And then you just, basically, your email account is being deactivated and anybody sending you emails, anybody, in our case, meaning a registrar, saying, hey, Val, your domain name is up for renewal, that email bounces back.

And I haven't seen yet any registrar trying to call you by the phone or send emails to, or send DMs to your social media profiles, nobody does that.

You don't respond to the renewal email, it's gone. And lots of domains get pretty much discontinued like that every week.

And there's a lot of businesses that actually have issues, legal issues and business issues, just because they used an email address that nobody checked for six months or three months or nine months.

If by some reason you use, you lose this account to inactivity, like I said, you may never recover access.

That also can happen. If it was long enough, not only you can reactivate the domain, the email address, but you can never actually recover access to it.

And then you have to go through Yahoo support, Gmail support, all of the hotmail support.

And we all know how that looks like.

So, less interaction with support may be better. Step six comes again with a possible T-shirt for whoever sends me an email to livestudio at Cloudflare.tv, explaining what DNSSEC stands for.

I will explain what it does, but the actual definition, if you explain it to me in an email, you'll get a free T -shirt.

I'm gonna check my email to see who's the first one to send the correct answer.

So, as I said, DNSSEC, while still not widely implemented in all domain registrars, unfortunately, it is a modern way to protect apps and caching DNS resolvers from third-party malicious data manipulations, such as, we've talked about this today, DNS cache hijacking.

And by using DNSSEC on your domain registrar, you'll add an additional layer of protection and cryptography security to your DNS records.

Make sure the registrar you use offers DNSSEC. Again, it's not widely implemented in all domain registrars today, but you can check with your registrar to see if they have it and have all requests checked against the cryptography, the cryptographic, sorry, signature to detect alteration in any way.

Of course, Cloudflare supports DNSSEC and is a free feature.

I'm refreshing my email just to see if anybody found the definition for DNSSEC.

If you do find it, you can still send me an email.

I'll go along with the segment. Step seven, who is protection?

For those of you who do this every day or every month or a lot, most of these steps should be self-explanatory.

The who is protection also has a who is, right?

Who is in it, so it's even more self-explanatory. But I hope that for those of you who don't know, this is an important knowledge gaining experience for you today.

I had to learn all of these throughout a lot of years of self-study and trying to find, sorry, I was just checking emails to see if anybody got in.

There's some questions coming in, but not the right answer I was looking for.

I mean, not answers to these questions.

Enabling who is protection, again, services is another way to keep your personal information safe.

If you don't enable who is privacy at a time of your initial domain registration, details including your phone number, email, city, country, even mailing address could be exposed to the entire Internet to make matters worse, data scraping bots can who is records, can scan them throughout the Internet to use your own personal details to send you spam and often include you in phishing campaigns.

Now, I'm happy to say Clouflin includes who is privacy by default and for no additional costs for all domains that are registered or transferred into our registrar.

And I wanna mention something here and I wrote it down.

Domain slamming, that's not protecting your who is, so your private details of the registrar, of your domain in your registrar account is the number one source from where spammers and domain slammers get the details.

Let me read this. This is a Wikipedia quote, so I wanna make sure I go through it completely.

Also known as unauthorized transfers or domain name registration scans.

And this is something you might be familiar with because I see emails like that all the time coming in.

We see it in support.

I've worked with web hosting and security providers who see these types of, let's say invoices.

They almost look like the real deal. So what happens is somebody's scanning your who is information for your domain and they see that you're up for renewal because again, you didn't register it for 10 years maybe.

You're up for renewal, let's say in 60 days, two months.

It will send you an email that looks very, very nice.

All the from field, the subject field, the body of the email might even be very HTML slash images comprised with.

So it looks like an actual registrar sending you an email because, hey, you forgot to renew.

Maybe you don't even remember what registrar you use for your domain name.

Or maybe he's one of those web hosting companies that I told you maybe check twice before you use them to register your domain name.

And the email says in 30 days, again, your domain is up for renewal in 60 days, but they will tell you in 30 days, your domain name will expire.

Click here to renew now. Now this is the main standing because what they want you to make is actually click on their link, create an account, ask for your actual domain name from your current registrar to be moved, transferred into this new account.

Most likely this will not be a $10 a year price. This will be like a 50, 60, 100, $150 a year, depends.

Sometimes they even scan your domain name to see what type of business you run, possibly try to figure out how much money you make, so on.

So they will ask you for an appropriate price because you're somebody online who forgot to hide the main Whois information.

So when your Whois details are left unprotected, they can target you.

You're gonna get an email saying, please move this domain.

They're never gonna mention move. They're never gonna mention transfer.

What they will tell you is you need to renew your domain name now because otherwise you're gonna lose it.

So in a rush of a moment, seeing this in your inbox, you might accidentally click on the link, go create an account.

What they will do then, they will issue a transfer request, meaning they will request your actual registrar to allow your domain name to be moved to them.

And now we go back to the third step where we said, make sure your domain name is domain lock, so registrar lock or transfer prohibited, meaning if such an account request might come in of some sort of shady registrar trying to steal your domain name and your domain name on your registrar is not locked, they're just gonna get it.

They're not gonna need any sort of authorization at all. If the domain is locked, they cannot move it unless you provide them with an authorization key, EPP key, depending on how you word it, but there's an extra layer of protection when your domain is locked.

So please be very careful when you think about this.

As you see, all of them come one by one by one and they might work pretty good on their own, but when you do all of the tests, all of the 10 steps, much easier.

Okay, we got carried away, let's go on. Step eight, enable 2FA. Again, if you're watching this live and you know what 2FA stands for and you send an email to livestudio at clothair.tv, you get a free Clothair t-shirt.

This is the most important security tip for any kind of online business account.

Doesn't matter if we're talking about registrar today, but you can talk about any sort of online account possible.

Banking, registrar, email, any sort of membership, anything that has to do with your private details being saved somewhere on a website.

Step nine, make sure you have 2FA enabled.

Now I can even dare you to go to the level of if your registrar doesn't have a 2FA field or capacity or feature, just quit.

I cannot even imagine a world where security of your profile, of your business, of your personal details online is not behind an enabled 2FA feature.

So if whatever service you use online today, if it's really important to you and if it has a lot of your private data, personal details, credit card information, billing details, mailing address, all that, and it doesn't have a 2FA feature, just tell them goodbye, move to somebody who has one.

Maybe a bit more expensive, but maybe not. But if they don't have it, go away.

That's the most important, like I said, security tip for any kind of online business-based account.

And if you're using a domain registrar, it's a must.

Now, of course, all of the respectable registrars will have it.

We do have it also at Cloudflare. Never leave your registrar login information wide open without proper two -factor authentication enabled.

Nowadays, most domain registrars, like I said, allows you to set up 2FA with Google Authenticator, Auth-AI, or alternative like YubiKey, 2FA, Key Generator device, and so on.

But please, please do not leave your online registrar account without 2FA enabled.

Step nine, we're almost at the end, and I think we have about six minutes to go, so I still have some time for the questions I got.

Do not reuse passwords. Again, this is one of those live things where you can get a free Cloudflare t -shirt if you email me the name of your password manager.

I'll explain what this is, but if you know what it is and you're using one, just let me know in an email what is it.

Your best bet is to completely avoid password reuse. For both personal and business-based domain names, this will help guard against hacking, especially after the many data breach problems we've seen worldwide in online services.

Use a strong password, and we just talked about this.

I strongly recommend using a password manager.

If you have a password that you can easily remember by heart, that's already a security risk.

If it's so easy that you can remember it by heart, it's a security risk.

You should trust a password manager to generate complicated passwords to use and only use them once per service.

So if you have a password for your register account, make sure that that password is generated by a password manager, like LastPass, 1Password, Dashlane, so on.

And that 1Password is never, and I mean never, used on any other of your online accounts, be it email, anything else.

Never reuse passwords. That's like so important. And the last step is keep your contact information updated inside your register account.

Not only is it important to keep your email updated, but the rest of your personal and company details as well.

Technical and administrative contact emails are important as your mailing address, first and last name, telephone number, driver's license, credit card data, and other pertinent information.

But remember, this information will be necessary should you ever need to verify that you are the real person, the real owner of that domain name, especially, we've talked about this, in domain hijacking.

So if something happens to your register account and you need to contact your registrar, sending them a support ticket, sending them an email, maybe call on the phone, they will ask for these details.

They will ask you for this data.

They will let us know who you are, first name, last name, other personal details.

And if these are not updated in your profile, if you just sign up with a registrar account and instead of your actual date of birth, you just put some random number in there because you're in a hurry, you wanna do this quickly, I don't have time for this, this is not important.

Guess what? When you contact the same registrar, they will ask you, okay, Mr.

Valdez, so what's your date of birth?

I'm gonna go, well, I know what my date of birth is, but if I say it and they go, that's not what we have in our data, what do you do then?

So always make sure you keep your contact information updated.

Now, before we actually end today, I think we have like three minutes left.

I have two questions. One of them is, what's the best registrar to register a domain name with multi-user access?

I don't just mean multiple users can access a domain, but multiple users can share ownership of a domain.

Prashit, I don't really know the answer to these questions, but I will check with our registrar team and I promise to get back to you on email.

And I have another question from Chris.

Let me just read it. What is your opinion about bulk buying any extension?

Oh, yes, this is very good. Chris, I'm not gonna go with your last name online, but Chris, thank you so much.

This is a very important question.

I could have easily done a step 11 for this one, especially for companies, for corporate entities, but maybe even for physical persons, if you're really interested.

If you find a very good domain name and maybe a brand name first for your company, for your future business, for your product even, and you register the myamazingproduct.com, and you don't register the amazingproduct.org.net, that social, that anything, all of these other extensions for domain names, you might end up in somebody else registering a domain name for your brand, so with the same as your brand, and then they can easily just start selling services on that domain name as if it belongs to them.

The domain name does belong to them, but then we go back if you don't have a trademark and if you don't have the proper layers of access to sue them and so on, you might lose a lot of business opportunity there.

So I'm gonna leave you here, and the next segment you're gonna be watching is a recorded one, Betting on Blockchain is from the Internet Summit 2017.

Thank you and goodbye.