CloudFlare, the security-focused content delivery network, already protects its customers from DDoS attacks and other attacks, but today, the company is taking another step to ensure its customers remain in control of their sites. CloudFlare is launching a domain registry service — CloudFlare Registrar — that protects high-profile sites from domain hijackings and domain expiration (because they forgot to renew their domains). This service will be available to CloudFlare’s paying Enterprise customers.
As CloudFlare argues, a domain name is only as secure as the security of the registrar that maintains it. Most registrars focus on consumers, though, and not high-profile sites — and hence their focus isn’t necessarily on security or their standards aren’t as high as you would expect from an enterprise-centric site.
“By offering registrar services to CloudFlare Enterprise customers, we instantly eliminate the additional risk a third-party registrar may overlook,” said Matthew Prince, co-founder and CEO of CloudFlare, in today’s announcement. “Even in CloudFlare’s own search for a high-security registrar, we didn’t find anything that met our security standard. Rather than waiting for one to come onto the market, we built our own, fundamentally changing the way Registrar security is offered today.”
As CloudFlare also notes, domain hijacks aren’t just a problem for high-profile sites, but also for API providers. “While domain hijacks have historically been outright web defacements or theft, an attacker can also choose be more subtle and proxy traffic to the original server, observing every user and tampering with any target,” the company says. “This is a particular risk for API providers (such as mobile application or IoT backends), where the hijacking of a domain can remain undetected while being exploited to compromise many applications.”
So how does CloudFlare secure domain names? Instead of using a single password for access to the registrar, CloudFlare Registrar users can opt to secure their domains by setting up a formal approval chain that includes multiple stakeholders who all have to agree to any change. That adds a lot of friction, but in this case, that’s probably exactly what you’d want. In addition, CloudFlare also uses two-factor authentication for accessing all accounts.
The company also promises that domains registered with CloudFlare Register will never expire. Domains will automatically renew a full year before they are scheduled to expire. This mitigates the risk of missing an email your registrar sent you a month before the domain expires. In addition, CloudFlare also locks all domains to prevent unauthorized access.