It's interesting how there are people who think spending $100/year/domain is a lot of money - but when your entire company's business/value is on the line, I would think that spending $1,000/year/domain, to make absolutely sure nothing goes wrong, would be a bargain.
It also ensures that your registrar has the resources required to guarantee a very high level of verification and due process to ensure that everything is done correctly, with lots of extra human review (in addition to all of the automated safety checks, not instead of)
I've heard good things about https://www.markmonitor.com/ when it comes to managing domains (among other things)
Well, we are paying for Gandi's corporate level of support.
Funnily enough, we feel the same way about people who don't want to pay $20/year for their email address, given that it's the primary method of identifying yourself online.
As with any business expense though, you only want to pay for value - if you spend $1000/year for exactly what you could have got for $100 year, that's wasting money.
And we're satisfied that Gandi know us now! Overall they've been really good - they just missed this one thing when they added 2FA. I bet they're not the only site.
With all due respect. I looked at the pricing of fastmail. So is it security the customer is paying for? Because for $10 and $20, you get a rather small max storage (250MB or 1GB). The only way to get a useful amount of data is to pay at least $40 a year. So basically most of the money goes to small data storage. What part of it goes to security and human time to handle security breaches?
> So is it security the customer is paying for? [...] The only way to get a useful amount of data is to pay at least $40 a year.
Security is one of my top concerns, which is why I don't need much storage at FastMail. My email is deleted from FastMail's servers in less than 180 days after receipt because the USG considers email over 180 days old to be abandoned and will access such email without a warrant.
The $10 level is very much "entry level". The $20 level is enough for a lot of people. It's surprising how many people still delete most of their email from the server.
You're also paying for multiple replica copies and backups and all that good stuff. By the time you add RAID, search, metadata, etc - there's pretty much a 10:1 ratio between quota usage figures and raw disk used.
Then there's development effort - we're not just installing a couple of packages and then sitting back and letting them run.
I've heard this claim made repeatedly on this site, but I've not heard any details as to what specifically MarkMonitor does to protect domains above and beyond other registrars. Anyone care to chime in?
I think Google actually stand to lose less than a smaller corporation. The registry will not assign Google to another company in any way that passes any eyeballs without seriously questioning it; if it did get re-assigned then they wouldn't have a problem recovering it. It's not likely to be gone for more than a few seconds before it's noticed and customers who were phished, or whatever, wouldn't be that likely to leave Google because of it.
That said I think appeal to authority is quite useful in this situation.
I would agree that any attempt to reassign google.com ought to raise someone's eyebrows.
But I would have said the same about mit.edu and they got reassigned about a year ago. Obviously not for long, but the damage someone well-prepared could do by owning google.com for just 30 minutes is scary.
There's no way anyone could own it for more than a couple of minutes before Google had contacted the managers of the root name servers and ICANN to revert. Like the sibling comment intimates handling the traffic would be nigh impossible - easier to control and perform a localised attack on a nameserver to "own" google.com for a limited subset of users.
The "well prepared" part makes me wonder. What kind of infrastructure would you need to handle google.com's traffic? I don't think any of the cloud providers can scale up to that kind of traffic out of the box, and it's not like someone can just build and staff a dozen data centers in preparation of this hijack attempt.
I have previously worked with MarkMonitor. One big factor is that at the time I had a single dedicated person who oversaw our domains. I knew him and his manager, and they knew me. Everything related to our domains went through them. It's not impossible to fool someone in that situation, of course, but it's a lot harder than fooling some random support person who knows nothing about the business or people involved. We talked on the phone regularly, and I have absolute certainty that if anything unusual came through, they wouldn't hesitate to call me and figure out if it was legitimate.
FWIW I think Apple previously used MarkMonitor. In fact that's currently mentioned on Wiki. However, now Apple.com is controlled by something named "Corporation Service Company".
I think the idea behind these services is, they're not just a registrar. Broadly speaking, their business is "know your customer". They're boutiques. They protect large companies against the vagaries of DNS hacks, expired domain registrations, typosquatting, etc.
E.g. a (long) while ago Microsoft failed to renew hotmail.co.uk, just like they previously forgot to renew passport.com. But today, Microsoft can't forget to renew microsoft.com, because that's now MarkMonitor's job. Similarly, renewing passport.com is now the job of (according to whois '=passport.com'):
Corporation Service Company(c) (CSC)
The Trusted Partner
of More than 50% of the 100 Best Global Brands.
The bad part is if CSC screws up, quite a few companies could be in a world of hurt.
This is different than a registrar lock in that a registrar lock is managed by the registrar (GoDaddy, Tucows, etc) but a registry lock is managed by the registry themselves. It requires personal contact with specific individuals to enable and disable the lock, making attempts to steal domains more difficult (but not impossible since social engineering is still feasible).
I've never used MarkMonitor before, but I did handle the registration for a hugely popular domain at one time. They decided to move to MarkMonitor but in the meantime they requested a registry lock set up on their main domain. This turned out to be very good idea since the registrar at the time was social engineered into changing the credentials for the account (with forged letter head similar to the fastmail.fm attack). The attackers were able to change the nameservers for little used domains but their main domain could not be modified.
Wasn't Facebook's domain, or at least their whois record, hacked via MarkMonitor in February? At least that was the initial report; I'm not sure what happened and it's hard to find a credible source about it. Here's the best I found in a short search:
Of course if it was hacked it wasn't necessarily MarkMonitor's fault; it could be Facebook's (though good security would anticipate that some customers will have poor security).
(If that post looks familiar, yes I'm reposting from a few days ago when someone made a similar comment. I'm hoping someone knows more about it.)
What I wonder is where I can get a domain with less human reviews. This wouldn't have happened if the humans at Gandi ignored the email with the fake documents and had just relied on the automated authentication systems.
The problem with their system is that it has the right amount of human intervention to be fallible to social engineering.
You actually want both - you want all of the automatic safety checks to be first completed, and then, after all of them have been passed, you want an account manager to personally pick up the phone, and call their contact at the company making the change, and have a discussion as to what is trying to be done, and whether everything is kosher.
Actually gandi's fortune was created on human-free. But they had a founder clash on what do with the money, and wether to seek more, one left, and now it's a normal corporate company.
It also ensures that your registrar has the resources required to guarantee a very high level of verification and due process to ensure that everything is done correctly, with lots of extra human review (in addition to all of the automated safety checks, not instead of)
I've heard good things about https://www.markmonitor.com/ when it comes to managing domains (among other things)