Even after high-profile domain hijackings, many companies don’t use this low-cost service for added protection.
In 2013, a hacker gained access to The New York Times’ domain registrar account and changed the nameservers.
It was an attack the publication could have avoided if it had used Verisign Registry Lock.
Registry Lock adds another layer of protection before changes can be made to a domain. If someone wants to change the nameservers of a domain with Registry Lock, a secondary verification must take place between the registrar and the registry.
The New York Times learned its lesson and added Registry Lock after the attack.
Many companies wait until it’s too late. Any company with significant web traffic or important domains should use this relatively low-cost service. If their registrar doesn’t offer it, they should transfer their domains to another registrar.
Today, I analyzed the top 100 most trafficked domain names to see how many were using Registry Lock. To do this, I reviewed Whois records for Cloudflare’s list of the Top 100 Domains over the past 12 weeks and looked for the three records that show Registry Lock is on:
ServerDeleteProhibited
ServerTransferProhibited
ServerUpdateProhibited
Many of the domains on Cloudflare’s list aren’t used for traditional websites. Domains like googleusercontent.com are used to deliver content and parts of web pages, or to underpin the technology used by these companies. These domains are just as important — if not more important — to secure than those used for popular website destinations.
I removed 11 domains that use top level domains not managed by Verisign. (Some other registries offer a similar service to Verisign’s Registry Lock, but I excluded these domains for simplicity.)
Here’s what I found:
- Sixty-two of the 89 top domains, or 70%, use Registry Lock
- Many of the domains are controlled by the same company. For example, Google has over 10 of the top 100 domains. While Google has Registry Lock on most domains, it is not universal. For example, googletagmanager.com doesn’t use Registry Lock.
- TikTok is one of the largest site owners that doesn’t protect its domains with Registry Lock.
- Several large ad networks, including Taboola and Pubmatic, do not have Registry Lock. Were someone to hijack the nameservers on these domains, they could wreak havoc.
Below is a full list of the top domains, in alphabetical order, along with their Registry Lock Status.Search:
| Domain | Registry Lock? |
|---|---|
| a2z.com | yes |
| aaplimg.com | no |
| adnxs.com | no |
| adsafeprotected.com | no |
| akadns.net | yes |
| akamai.net | yes |
| akamaiedge.net | yes |
| amazon-adsystem.com | yes |
| amazon.com | yes |
| amazonaws.com | yes |
| android.com | yes |
| app-analytics-services.com | no |
| app-measurement.com | no |
| apple-dns.net | yes |
| apple.com | yes |
| applovin.com | yes |
| appsflyersdk.com | no |
| azure.com | yes |
| baidu.com | yes |
| bing.com | yes |
| capcutapi.com | no |
| casalemedia.com | no |
| cdninstagram.com | yes |
| chatgpt.com | yes |
| cloudflare-dns.com | yes |
| cloudflare.com | yes |
| cloudfront.net | yes |
| criteo.com | yes |
| digicert.com | yes |
| doubleclick.net | yes |
| doubleverify.com | no |
| facebook.com | yes |
| fastly.net | yes |
| fbcdn.net | yes |
| ggpht.com | yes |
| gmail.com | yes |
| google-analytics.com | yes |
| google.com | yes |
| googleadservices.com | yes |
| googleapis.com | yes |
| googlesyndication.com | yes |
| googletagmanager.com | no |
| googleusercontent.com | yes |
| googlevideo.com | yes |
| gstatic.com | yes |
| gvt1.com | no |
| gvt2.com | no |
| icloud.com | yes |
| instagram.com | yes |
| linkedin.com | yes |
| live.com | yes |
| microsoft.com | yes |
| microsoftonline.com | yes |
| mikrotik.com | no |
| miui.com | no |
| msftconnecttest.com | no |
| msftncsi.com | yes |
| msn.com | yes |
| netflix.com | yes |
| office.com | yes |
| office.net | yes |
| office365.com | yes |
| pubmatic.com | no |
| qq.com | yes |
| roblox.com | yes |
| rubiconproject.com | no |
| samsung.com | no |
| sharepoint.com | no |
| skype.com | yes |
| snapchat.com | yes |
| spotify.com | yes |
| steamserver.net | no |
| taboola.com | no |
| tiktokcdn-us.com | no |
| tiktokcdn.com | no |
| tiktokv.com | no |
| trafficmanager.net | yes |
| ui.com | no |
| unity3d.com | yes |
| vungle.com | no |
| whatsapp.com | yes |
| whatsapp.net | yes |
| windows.com | yes |
| windows.net | yes |
| windowsupdate.com | yes |
| xiaomi.com | no |
| yahoo.com | yes |
| youtube.com | yes |
| ytimg.com | yes |
Source: https://domainnamewire.com/
