Registrar Protocol Change Could Bring More Security to Domains

Opinion: A big red switch in the registrar system gets thrown later this week. Let's hope the registrars are ready.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

You may not have noticed, but major changes are being implemented in the domain registrar business.

As the operator of the .com and .net registries, VeriSign is the hub through which all domain registrars must operate. They do so through a set of software protocols. On Oct. 28, the old protocol, RRP (Registry Registrar Protocol) will be "deprecated" in favor of EPP (Extensible Provisioning Protocol). Its also in place for all .org, .biz, .info, .us, and .cn domain names.

This process has been underway for many years. ICANN (Internet Corporation for Assigned Names and Numbers) began requiring the use of EPP with the introduction of the 2001 un-sponsored top-level domains. VeriSign deployed EPP on June 25, 2005. Since then, it has been running both protocols in parallel. But the day is coming very soon when VeriSign will actually shut down the old RRP system. Is the Internet ready?

/zimages/2/28571.gifTheres more evidence that the domain registration system is failing to serve the publics interests, and its going to get even worse. Click here to read more.

From the point of view of users, the only important change is the addition of a security step for domain name transfers from one owner to another. With EPP you will need to obtain a special key, a kind of password, from the losing registrar, which refers to the registrar from which the domain is being transferred. You will need to provide this key to the gaining registrar. Its a six- to 16-character code assigned to the domain.

Because you will have to log in to your account at the registrar that holds the domain in order to get the key, many forms of domain theft are frustrated by this key. Not all of them, of course. But the sort of domain theft where someone initiates a transfer and it goes through because the real owner doesnt check his e-mail is largely blocked by this feature, because you have to be able to contact the registrar of record on the domain and convince him youre the owner.

I already ran into this problem myself about a month ago when I transferred a domain from 1&1, a hosting service that also does domain registration, to PairNIC. PairNIC demanded that I supply the "Transfer Authorization Code." Huh? Id never heard of that before, and Ive transferred a few domains in my day.

It took me a while to learn from the PairNIC guys that theres a new system in place and that I had to get the code from the other registrar—the "losing registrar" in domain name parlance.

I went back to 1&1 and looked for it and once again it wasnt easy. 1&1 calls it an "Auth Code." Not easy to find, but I found it eventually. I suspect many users will have a hard time with this process, and since it involves transferring domains away from the registrar, perhaps the registrars wont be as helpful as they might be.

So on Oct. 28 when VeriSign throws the switch and turns off RRP support, will all registrars be ready with their EPP support, even if its not as helpful to users as it might be? The last word I got from VeriSign about a week ago was that "Today, most .com and .net registrars have cut over to EPP. The remaining few are on the trajectory of finishing by the 28th of October." That means theyre not all done yet. (Are you a registrar and want to implement EPP? Heres how.)

I have to think all the big ones would be; theyd be completely nuts not to be ready by now. On the other hand, there are quite a few fly-by-night and otherwise shady registrars out there, and they might not be ready, but you dont want to be doing business with them anyway.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer