As an entrepreneur with an idea, one of the first things you will buy for your business is a domain name. This name is the root of your company’s identity. If you lose control, the company could see its website defaced, customer funds stolen/diverted, suffer downtime on websites and APIs, or see a further compromise of corporate assets as emails are redirected.
When we started Zatik Security we wanted to register our domain in the most secure way possible. However, we couldn’t find any step-by-step, vendor neutral, free guidance, so we’re sharing our research in line with our Company Values to pay it forward to the next founder.
None of the companies evaluated sponsored Zatik’s assessment or influenced our recommendations. These are our preferences, based on our research of publicly available feature documentation and professional experience as of March 2024. Gentlepersons can disagree, and your experience might be different.Secure Domain Registration
As a startup or small business, a full-fledged enterprise domain registry solution probably isn’t necessary or cost effective for your business yet. From a security standpoint, an ideal registrar would support the following six features to provide a secure domain registration for SMBs:
With these requirements in mind, I reviewed five domain Registrars frequently recommended in startup communities. Since our focus is enabling startups and small businesses, any features locked behind an “enterprise” tier have been excluded. The vendors we reviewed, in alphabetical order, were: Cloudflare, GoDaddy, Hover, Namecheap, and Squarespace.
Cloudflare meets five of the six criteria that Zatik recommends.
2FA: Requires anyone you invite use Two Factor Authentication (2FA). It is great to see a vendor offer this control on a non-enterprise plan with a simple checkbox.
Forbid SMS 2FA: Since Cloudflare only supports security key or app based second factors, you can have confidence that staff are not using SMS as second factor.
RBAC: Invite multiple users to your account with custom user access controls.
Audit Trail: The audit trail feature is very detailed and includes login information, but customers need to manually script notifications.
Forced Logout: Sessions can be destroyed using the Revoke Session feature. This allows you to log out an account which may be compromised.
What criteria was not met? Security Alerts: Cloudflare email notifications do not allow you to set up alerts for other members of your Cloudflare organization. They are only sent to the account’s email itself, so are not a reliable option to monitor for strange logins for other accounts
The full notes of my review can be found in the “Show Your Work” section at the end of this blog post.
But I already have a domain purchased…
After conducting our review and identifying an ideal registrar, we only had one problem…we had bought zatik.io using Namecheap. Since domain owners are allowed to move their domains between registrars, we started the process of moving our DNS, and domain registration into a hardened Cloudflare account.
The first part of moving a domain name is to ensure the destination registrar supports the Top Level Domain (TLD) of the domain you want to move. Since we’re moving to Cloudflare, we confirmed that .io was one of their supported TLDs. Moving a domain has some restrictions which can prevent transferring registrars. The most common is that a domain cannot transfer if its WHOIS registration information has been modified within 60 days. Cloudflare provides a full list of reasons why a domain could be restricted from transfer into their system; you should review these materials before starting a domain name transfer.
When you plan to move a domain, you must ensure that any existing DNS entries at the source registrar are copied to the destination registrar. If they don’t match, you'll end up causing an outage for your existing customers/users. I recommend having a second person compare the records at the source and destination registrars after you create them. The DNS records at the destination registrar will not have any impact until you change the nameservers at the source registrar to point to the destination. Once you make this change, DNS records will begin to update. Zatik makes use of several SaaS products for our employees, so I created a checklist before making any changes so I could verify the transfer process was completed.
Once the DNS change was completed, I began the process of transferring the registrar of Zatik.io. This process updates the business relationship to your domain and controls the company you will be renewing the domain with. To begin, you must unlock the domain at the source registrar, which will provide you with a verification code. Enter the code in the destination registrar to complete the transaction. When planning a move, you should budget 10 days into your timeline: your source registrar has up to 5 days to provide you the code, and another 5 to send it to your destination registrar. (It doesn’t usually take 10 days, but it can per the ICANN rules, so it’s good to set the time aside just in case.) The task to move to Cloudflare allowed Zatik to take advantage of their additional account security features. Now you can, too!
Your company’s domain is the root of your identity as a business. If you lose control of it, your ability to find your market fit and deliver a product to your customers is damaged.
Providing pragmatic security engineering guidance is one of the services we offer at Zatik Security. If you are building a business and need a team of experts to help you build a security strategy, please get in touch.Show Your Work: Domain Registrar Security Feature Review Documentation
Since this research is intended for startups and small businesses, only free/paid plans are considered. Any feature that requires an Enterprise or similar tier service plan is not included.
Cloudflare
Users can make use of an Authenticator App or Security key
You can invite multiple users to your account, and enforce that they have 2FA on. There are specific roles that you can assign within the account.
This was a difficult one to rank. There’s no documentation of it, but experimentation showed that they do send alerts when your account logs in from a new IP address. However, there is no Available Notifications option to alert you when another member of your account logs into their account. This doesn’t allow you to alert for login’s to a break glass account. You can find this data via the Audit Trail, but would have to manually script a notification option
Audit trail feature is provided via their Audit Log feature, which provides a review of changes made within the account, and inside DNS zones
Sessions can be destroyed using the Revoke Session feature
GoDaddy
Offers both Authenticator App and Security keys as MFA options
You can have multiple admins in your account with role-based access control by making use of the Delegated Access feature. Invited users will have different permissions based on where in the folder structure they are invited
Email Notifications are sent to the email that owns the account. However, there was no documentation about sending them to another email.
There is an Account Activity feature. However, it is not a full audit trail of what happened in your account as it is limited to sign in events
There was no description of the ability to destroy an active session in their documentation site
Hover (the direct to customer business for Tucows)
They do offer Authenticator App as an option for secure 2FA
They still offer SMS as an MFA option. Their docs page says they are, "starting the process to deprecate the use of SMS as a two-factor authentication (2FA) method", but no timeline is given.
Nothing in their help center about multiple logins, or sharing access to a domain
They do offer Sign In Notifications as part of their account security program, but these are only sent to your email account, not a security alias
Audit Trail feature is provided in the Activity Feed which shows info about account sign-ins, new domain registrations, renewals, disabling auto-renewals
They do offer the ability for you to force a sign out of all active session
Namecheap
2FA options include Authenticator App and/or Security key
SMS is not an option and seems to have been removed on or around May 16 2022. This is the last update date on the 2fa docs. The closest web archive of the page before that is April 20 2022 and does feature SMS as an option, the next one from June 30 2022 does not have SMS listed.
You can invite a Shared Manager to a domain, and select the permissions you wish them to have
Options for email notification of logins to the account, password changes, account recovery requests, changes to email, or primary address, WHOIS contacts, or host records
Knowledgebase doesn’t include an information on an Audit Trail feature
Knowledgebase doesn’t include information about a Destroy Sessions feature
Squarespace
Only offer Authenticator App a as a secure 2FA option
SMS is still an option as MFA option
You can invite multiple contributors to a domain
There are some Email Notifications that Squarespace sends, but they do not list out security related events they send you information about, or if they can be sent to another email
The Account Dashboard provides information about Login Activity, but is not a full Audit Trail
The Account Dashboard also offers the option to Force a Log Out which will destroy an active session
None of the companies evaluated sponsored Zatik’s assessment or influenced our recommendations. These are our preferences, based on our research of publicly available feature documentation and professional experience as of March 2024. Gentlepersons can disagree, and your experience might be different.
Comentarios