Akatombo Web Log
Friday, November 12, 2004
Prevent the Theft of your Domain
ICANN, the regulatory body controlling domain name (yourwebaddress.com) has made a (we think) rather stupid change to their Policy on Transfer of Registrations between Registrars. This may sound complicated, but we think it makes it easier for people to steal your domain name. We’ll lay out the details in simple terms below:
Skip to the solution
The change was made to combat a legitimate problem: some unscrupulous domain name registrars (The companies that provide domain name registration services) have made it very difficult for customers to transfer their domains away to another company that may provide better prices or service. We have had to deal with this problem on behalf of customers in the past, and when I used to work at a domain name registrar this was a big problem for customers trying to transfer in to our service. The problem is serious and needed a solution, but we are not confident that the solution ICANN chose was the right one.
We’ll try to be as brief as possible regarding the changes to policy but it gets a little bit complicated, so please bear with us. The important changes are as follows:
“Requiring registrars to verify the identity of the registrant or administrative contact requesting the transfer by one of a number of approved methods to deter fraud;”
This is a requirement of the “Gaining Registrar” meaning the company that is getting your business. The approved methods of authorization are as follows:
- Physical means:
- Notarized statement
- Valid Drivers license
- Article of Incorporation
- Military ID
- State/Government issued ID
- Birth Certificate
- Electronic means:
- Electronic signature in conformance with national legislation, in the location of the Gaining Registrar (if such legislation exists).
- Consent from an individual or entity that has an email address matching the Transfer Contact email address.
“Preserving the ability of registrants to “lock” their domains so they may not be transferred from the registrar, but requiring registrars to provide a readily accessible way for registrants to have their current registrar remove this lock at their request;”
This means that registrars have to give registrants (you) an option of locking their domain names so that it cannot be transferred until the lock is released. This is one of the things that we recommend that you take advantage of to ensure that your domain is not fraudulently transferred to another party—We’ll cover this more in the next section.
“Enabling registrants to transfer their domain names without having to “double-confirm” the transfer once the transfer has been reliably authenticated per the new policy; and”
This reverses the old practice of many losing registrars (the registrar being transferred away from) of making registrants confirm with them that they indeed wanted to make the transfer before the transfer to the gaining registrar (the registrar being transferred to) could take place. This means that if someone manages to fool the gaining registrar into thinking that you are making the request for the transfer of your domain name (and it is in their interest to believe) then the transfer can go through without you confirming the transfer.
Note: Many thanks to my friend who attended the ICANN meeting for explaining to me that the confirmation with the losing registrar was never a requirement, although many were doing it. This policy made it illegal to do so. While it is true that some registrars were using this to hold up the transfer process it could also be a genuine fail-safe to protect customers.
“Providing a robust dispute resolution process for resolving disputes between registrars, including registries implementing a “transfer undo” functionality to provide for efficiently reversing any transfer initiated in violation of the policy.”
This is an attempt at making it easy to reverse the damage done by a fraudulent or mistaken transfer, but in our opinion is insufficient for one, and too little too late for another.
- First of all the means of authorization don’t all seem equally worthy. Most registrars will almost certainly go for the electronic forms of authorization. It would be stupid for them not to. They would just be putting a bunch of extra effort and a time barrier in the way of registrants that want to transfer to them. Focusing on the two electronic means of authorization it seems to us that it would be a lot easier to spoof e-mail authorization to on registrar than to both, and the first option of using an electronic signature authorized by the local government is silly for three reasons:
- Not very many legislatively approved methods of doing this exist.
- The Internet is international: if I am in Japan and use a registrar in the U.S. then the electronic signature may not even be available to me.
- Different countries have different laws:
Imagine this scenario, I go and establish my domain name registrar in a poor country with a government open to bribery. I give certain government leaders a small stipend in exchange for the consideration of passing a law authorizing the use of an easily spoofed electronic signature system that we have developed. I am now open to reap the benefits of transfer and registration fees from any that would like to attain a domain that is already taken, and don’t mind being a bit dishonest about it. — This is a very oversimplified example, registrars must be accredited by ICANN, and there is also the issue of domain resellers to consider. Still this seems to us to leave some pretty big holes in the policy.
- They have now outlawed the previously required double-confirmation system, making it easier for domain transfer chicanery to take place.
- As far as we have observed ICANN’S UDRP is far from adequate, can be rather slow, and is often wrong. Even if you were to get your domain name back through the UDRP that will be little consolation since your website and e-mail service for that domain have been interrupted in during the proceedings.
We recommend that you take the following steps to ensure that your domain name does not fall victim to a fraudulent transfer:
- Visit the website of your domain name registrar and log in (make sure that you don’t forget how to log in to your domain name account, that could cause you big problems in the future).
- Check your contact information, and make sure that it is all up to date—especially your e-mail address.
- Look for an option to lock your domain names, as of today (November 12th, 2004) all domain name registrars are required to provide one, and lock all your domains to prevent them from being transferred until you release the lock
If you follow these steps, your domain name should be pretty safe, but of course always remember to keep your domain name registrar account login information safe and secure. If someone can gain access to your account they can pretty much do whatever they want.
Was this helpful to you? Do you have any question or have we missed something? Please leave a comment below to let us know!
Tuesday, October 26, 2004
Working with Web Designers - Part I - PreparationI have been on both sides of the "hiring a designer" experience. Before I started working as a web guy I was a marketing guy, and during that time I had occasion to hire web designers for various projects I was involved in. That experience was absolutely NOT what made me go into this line of work. It was, in fact, an extremely frustrating experience for me, and in hindsight I'm sure it was just as frustrating for the designers. Now that I am on the other side of the equation I realize that many of the things that drive me crazy about clients today are things that I used to do to the designers I was working with. If I had known of a way to make the process go more smoothly I would have, but I was doing the best that I knew how. In this series of articles, I hope to illuminate some things to consider and some best practices that will make working with a web designer go more smoothly, efficiently, and ultimately more fruitfully. Many of the tips in this article will probably apply to the experience of hiring a staff web designer as well, but the primary focus is hiring a web design firm or freelancer to handle a specific project. There is a lot of ground to cover so this article will be broken into sections. The first section, which I present to you now is about the preparation prior to getting in touch with the designer.
GoalsThe first thing you should consider, and you should actually put it down on paper and use it as a guiding principle for the project, is your goal for the project. I discussed this in more detail in "What Are Your Goals?", but basically you should think about what would have to happen for you to consider the project a success. Formulate your conclusions into a sentence or paragraph giving a measurable standard of success. Thinking this out ahead of time will help to guide your own decisions through the planning process and beyond. It will also give the designer a very clear and succinct idea of what it is you are trying to achieve. It will help the designer to give you advice about the best way to take your web project where you want it to go, and to get a quick start on formulating their proposal for doing so.
Background MaterialsThe next thing you'll want to do is prepare some background material on your organization, brand, and product—modify these categories to match what it is you do of course, but you get the idea—for the designer. The more information he or she has about who you are, the more effectively the designer can come up with a design concept consistent with your image and branding. If you have any marketing or branding guidelines or standards (such as colors to be used in company releases) it would be good to have these ready for the designer as well. The more background information readily available to the designer, the better job they can do for you. If you have a set of images or other media that you plan to use in the design it would be a good idea to get those together as well. This way, if there is any problem with what you have, maybe the image is of too low a quality or of the wrong format to use as you imagined, the designer can let you know with plenty of time to find a replacement or alternative solution.
Until Next Time...Well that's all for this installation. I hope it helps you to get yourself set to contact a designer and get the ball rolling. Being prepared before making the contact puts you at an advantage, because you have a fairly good idea of what it is you want already, and you'll be more able to communicate that to your designer of choice. We look forward to hearing your thoughts. This article is still in progress, and may be added to as the other sections are completed, so if there is something not in here that you think should be, comment and let us know about it below!
A change in focusI was looking back over the articles we have put up on this site, and realized that most of them are targeted at other web professionals. Writing for that target is fine, but this section was originally created to cater to the people we can most help (clients/potential clients). I have decided to guide this section back to it's original concept: providing information on web related topics to non-web professionals needing to do something with the web. We will likely cover topics related to web marketing, usability, accessibility, best practices for effective information architecture, business cases for the use of web standards, search engine optimization, and tips for working with designers (I throw this last topic in especially because it is the article currently on my writing table). Don't worry if you don't understand some of the terms above, all we be explained in easy to understand language. I'll try to speak to each topic from the viewpoint of someone who doesn't do this stuff everyday. I'll stop here for now, I just wanted to put down a placeholder to mark my commitment to writing more for this section's target.
Monday, October 25, 2004
Our server will be down for a few minutes (knock on wood) later today for an upgrade.
UPDATE: All went smoothly, and the server is back up and running like a charm. Sorry for any inconvenience.
Wednesday, October 20, 2004
AWS ZoneNice little site for people using the new version of Amazon's "AWS."
via Daring Fireball Linked List