Which Extensible Provisioning Protocol (EPP) status-values provide sufficient protection against domain hijacking?

Question

The Extensible Provisioning Protocol (EPP) as described in RFC 5730, can possibly be protective against domain hijacked. The protocol consists of the 17 following status-values as described in RFC 5731:

clientDeleteProhibited, serverDeleteProhibited, clientHold, serverHold, clientRenewProhibited, serverRenewProhibited, clientTransferProhibited, serverTransferProhibited, clientUpdateProhibited, serverUpdateProhibited, inactive, ok, pendingCreate, pendingDelete, pendingRenew, pendingTransfer and pendingUpdate.

The definition of the EPP status-value ok is:

... the normal status-value for an object that has no pending operations or prohibitions.

Therefore, a domain with the EPP status-value ok should be considered potentially vulnerable to domain hijacking because it has no EPP prohibitions. Is a domain with one ...Prohibited EPP status-value sufficiently protected against (a form of) domain hijacking or should multiple ...Prohibited EPP status-values be used for complete protection against domain hijacking?

In other words, is the protection that EPP can offer insufficient when only one (instead of multiple) ...Prohibited EPP status-value(s) is/are used?

Answer 1

Generally speaking, the EPP codes will not help prevent domain theft/hijacking, at least in generic top-level extensions.

Before 2006, it was possible to steal .com/.net (possibly other extensions) as long as a) they were not locked and b) the rightful domain owner would not object to it. b) in particular could happen when the registrant E-mail was out of date, had lapsed or the notification mail is spam-trapped.

With the introduction of the EPP code the practice of stealing/hijacking domain names has become more difficult.

The following applies to generic top-level extensions (ccTLDs often have different rules):

In order to transfer a domain name to another registrar, you need the so-called EPP code, and the registrar-lock status must be lifted. Which translates to lifting the clientTransferProhibited status.

The EPP code is often sent to the registrant E-mail address but can sometimes be retrieved online. It depends on the registrar. The registrar is also where you lift the transfer lock.

Valuable domain names are stolen sometimes. It often involves taking over the administrative E-mail account. If a hacker can take control of your E-mail address he can a) reset your password at the registrar (security questions may apply depending on the registrar), b) take over the registrar account, c) unlock the domain and retrieve the EPP code, d) transfer the domain away - or just mess with the DNS settings, for example to perform a malicious redirect.

The EPP status is a moot point actually. Just because a domain doesn't have any flag set, doesn't mean you can mess with it. If you can hack into the registrar account on the other hand, it's almost certainly game over.

To sum up, the best way to protect your domain names, is to make sure the administrative E-mail is secure and up to date and choose the registrar carefully. Some registrars have enhanced security features like like 2FA, automatic E-mail notifications, while others may still be storing passwords in plain text and should be avoided just for that reason.

It goes without saying that the user account at the registrar should be protected with a password that is unique and hard to guess, and it doesn't hurt if the username is not too predictable as well.

One final note: the administrative E-mail is displayed in the whois record, as such it is public information. It is therefore a good idea to use an E-mail address for your registrar account, that is different than the one listed in the whois record.

Reference: ICANN: EPP Status Codes | What Do They Mean, and Why Should I Know?