CloudFlare has launched a domain name registration service with enhanced security controls designed to prevent domain hijacking, a serious attack that can have far-reaching consequences for companies.
Its Registrar keeps a close eye on domain name registrations and changes to registrations with the intention of preventing attackers from gaining control of a domain name, said Ryan Lackey, who works with CloudFlare’s security product strategy.
The idea came after CloudFlare began looking for a domain name registrar with better security, Lackey said. CloudFlare is a constant target for attackers. They couldn’t find anything suitable, so CloudFlare decided to develop its own.
“We figured this is a problem that other people are having,” Lackey said.
Domain name hijacking at its best is embarrassing but at its worst could have serious consequences for a company.
One of the most common low-brow pranks is changing a website’s DNS records to point to a different website. But control over a domain also can give access to a company’s email.
Even worse, an attacker could keep a particular website running but might be able to install their own SSL/TLS certificate, which would allow for monitoring of a company’s data traffic.
The problem CloudFlare is aiming to eliminate are the weak controls behind many registrars, or the organizations that manage domain name registrations. Lackey said in many cases, a single password stands between an attacker and taking over a domain.
“It’s very difficult to build controls around a single password,” Lackey said.
In 2013, a group calling itself the Syrian Electronic Army managed to breach a registrar for major sites including Twitter and the New York Times, briefing redirecting those sites to one of its own.
CloudFlare’s approach is to add a lot of friction to the process of making any changes to a DNS record. For example, companies can elect that before any change is made, three people need to confirm it, Lackey said.
“We don’t want it [a change] to depend on a single person,” he said.
Also, some types of changes won’t be completed for five to 10 days. Smaller changes, such as a change of address for an office, may be made faster. CloudFlare will also keep an eye out for suspicious requests for changes, such as if a company suddenly tries to move its DNS servers to the Ukraine, for example.
CloudFlare’s Registrar service also will automatically renew domains for customers. Occasionally, companies forget that their domain name is about to expire and the domain name can be bought by another party.
For domain names, Registrar also is using DNS Security Extensions (DNSSEC), which uses public key cryptography to digitally “sign” the DNS records for websites, making them less susceptible to tampering.
So far, CloudFlare can accommodate the top-level domains .com, .net and .org. Plans are to add other TLDs and country-code TLDs as needed, Lackey said.
CloudFlare’s service is aimed at large companies and organizations that have a large brand value attached to their domain name. The current domain name system was basically built for the non-commercial Internet, but is still used, Lackey said.
“We’re still using systems that were built for a much different world,” he said.