13

I just learned about domain name locking at registrar level. I’m having problem to understand what it is, all I found is it’s a protection against domain name takeover through transfer.

Now, I also found unlocked domains for several major websites.
But without even understanding what locked domains are, I don’t know if it would allow takeover (or even a threat at all since I couldn’t found a list of supported tld).

My current case is there are only server status codes in whois, not clients ones.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
user2284570
  • 1,402
  • 1
  • 14
  • 33

3 Answers3

17

Locked domains are domains which require additional hoops be leapt through in order to change ownership. The lock is requested by the owner of the domain and implemented by the registrar of the domain.

Historically, transferring ownership of a domain required something like one of the authorized contacts faxing in a signed paper. And, believe it or not, there were people out there who would fraudulently sign papers and fax them in so that they could steal the domain. It's called Domain Hijacking and during the dot-com era it was a reasonably large problem. It happened to my company around 2000 and it took us months for the lawyers to convince Network Solutions that the domain had been fraudulently transferred and that it should return to us.

Domain locking means that the registrar must unlock the domain before making changes, and that therefore they are triggered to apply extra scrutiny to the transfer. Some might argue this merely makes them "do their job"...

The law of unintended consequences means that domain locking became a weapon in the registrar wars. As new registrars came online and tried to capture business from the (more expensive) older registrars, domain locking was urged upon domain owners with the unstated goal of making it harder to hop from one registrar to the next. Every domain registered at Network Solutions "comes with the free Domain Protect feature enabled," for example.

Your biggest question seems to be is domain hijacking an important threat?

Yes, but relative to the value of your domain. For example, "sex.com" was an attractive and lucrative target (link goes to article, not named domain). Other domains would have lower value.

Update

I was unable to find a way to query ICANN to find out which TLDs support domain locking, but I was able to find this (very comprehensive) list on a registrar site which indicates that .co does support domain locking:

.co TLD info from OpenSRS

And, if you go to the .co whois server, you can see that locking attributes are listed for their domains:

Whois details for cash.co

For at least two of the TLDs listed as not supporting domain lock in that list (.cn and .uk), I pulled up whois details for a couple domains and did not find any indication of EPP status codes that would indicate domain locking. (As a negative inference, that's of limited use, but it beats contradiction).

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • No, what I don’t understand is if an unlocked domain from a supported ᴛʟᴅ can lead to hijacking. I also would like the list of ᴛʟᴅ supporting that protection please *(no google results)*. – user2284570 Jan 21 '16 at 22:20
  • 2
    @user2284570 This isn't a shopping recommendation web site. If you want to know who offers that protection, ask them. – Simon B Jan 22 '16 at 13:18
  • @SimonB This is not for shopping recommendations, I'd like to knwo if my findings depict an incorrect behaviour. This cover many tld and registrars, a complete tld support list would be the best solution. I also would like to know if transfering or updating contact details is possible without that protection. – user2284570 Jan 22 '16 at 13:21
  • @user2284570 Yes it is - that's why domain name locking was invented. – Simon B Jan 22 '16 at 13:58
  • If I understand correctly, in the case of`client.*`locks, it means the`client.*`associated operations can’t be performed automatically *(either using provided ssh or web control panel)*, and that a human need to be involved in the process. – user2284570 Feb 09 '16 at 11:29
  • @SimonB : If what I guessed in my comment above is correct, it isn’t really. If somebody would manage to access the management interface of someone else at the registrar, then there are other things to worry about. – user2284570 Feb 09 '16 at 11:37
  • No, you are a bit incorrect that it requires manual intervention. A transfer lock means that the registry (eg .co, .eu etc) will not transfer the domain, and will not release transfer codes either. Transferring using a code will not work either. To release the lock, you would have to go into the domain admin panel, using the authentication solution that the registrar is using (for example: One time codes) and remove the lock. Then transfer can proceed as normally. Manual intervenion is only permitted if a registrar locks a domain to forcefully keep a customer (which is disallowed by ICANN) – sebastian nielsen Feb 15 '16 at 20:10
  • However, there is locks that always require manual intervenion, and those can be indicated the same way in whois, so the public cannot see what type of lock is imposed. Those locks are for example when theres a ongoing dispute on the domain, or if a domain is locked due to abuse (ex: Phishing), or if a court decided the domain should be locked/seized. – sebastian nielsen Feb 15 '16 at 20:14
  • @sebastiannielsen ok, so does it means the failure reason *(not able to proced transfer despite access to the registrar web control panel due to registry lock)* on [this](http://www.pcworld.com/article/2095240/hackers-try-to-hijack-facebook-other-high-profile-domains-through-domain-registrar.html) *(attack example)* is wrong? – user2284570 Feb 16 '16 at 22:44
  • clientUpdateProhibited is another type of lock, that normally requires human-intervenion. Its a lock you cannot apply through your registrar control panel. – sebastian nielsen Feb 17 '16 at 03:21
  • @sebastiannielsen may you write this an answer please? *(just for awarding the bounty)* – user2284570 Feb 18 '16 at 00:39
2

TLD locks were created to prevent the following:

> Modification of the domain name, including:
> Transferring of the domain name
> Deletion of the domain name
> Modification of the domain contact details

As per "Registrar Lock" status codes. It benefits companies who pay for it as a service (e.g. stop someone from doing ANYTHING to a domain unless authorization was PROVEN), and has been used by law enforcement agencies, and registrars to take over domains associated with malicious actions (e.g., malware, APT like threats, and so forth). The main purpose of the lock was to prevent hijacking and slamming. See ICANN on this. It has also been abused by some registrars, e.g., Register.com used to place a lock on your domain like it or not (unsure if they still do). Unless the lock was removed, you were forced to keep re-registering with Register.com ($35.00 per .com once upon a time) versus transferring to a lower priced registrar. Alas, as answered it was mainly created to protect a domain owner from losing their domain.

EDITED FOR CLARITY / LOGIC

A registrar lock does NOTHING against "taking over a domain" if the original poster meant to ask: "Will a registrar lock stop me from taking over the domain?!?!" (where by taking over, the OP meant hacking). And I quote: "I don’t know if it would allow takeover" What are you trying to take over? The domain? Or the server the domain is on. Two different things. Registrar locks do NOTHING on the technical side of the equation. They do not protect a domain from being "taken over" if say there is a PHP vulnerability. The registrar locks only works between RIRs and offer ZERO protection from technical vulnerabilities.

munkeyoto
  • 8,682
  • 16
  • 31
  • What about the yes/no question I included in my bounty message? your answer add nothing to what I already know. This question is about how such protections technically works, not about what it protect for. – user2284570 Feb 16 '16 at 22:35
2

A transfer lock means that the registry (eg .co, .eu etc) will not transfer the domain, and will not release transfer codes either. Transferring using a code will not work either. To release the lock, you would have to go into the domain admin panel, using the authentication solution that the registrar is using (for example: One time codes) and remove the lock. Then transfer can proceed as normally. Manual intervenion is only permitted if a registrar locks a domain to forcefully keep a customer (which is disallowed by ICANN)

However, there is locks that always require manual intervenion, and those can be indicated the same way in whois, so the public cannot see what type of lock is imposed. Those locks are for example when theres a ongoing dispute on the domain, or if a domain is locked due to abuse (ex: Phishing), or if a court decided the domain should be locked/seized

clientUpdateProhibited is another type of lock, that normally requires human-intervenion. Its a lock you cannot apply through your registrar control panel.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33