Allgemein

Domain security changes due to the new EU Data Protection Regulation (GDPR)

Leave a comment

Phase 1 of 3-adaptations to the GDPR:

Due to the implementation of the new Data Protection basic Regulation (GDPR), urgent security changes in the domain area (incl. FOA) will be carried out in the next few days!

As we have already written in our article “GDPR – Introduction of new data protection rules a fiasco”, now important changes are made to the last “pusher”! We still cannot see the final “roadmap” of ICANN and thus continue to be in the air with the adaptation of our processes and systems!

Through our registrar we were informed yesterday that important security changes in the domain area in the 1. Phase in order to meet the consequences of the requirements of the basic data Protection regulation! We hereby inform you of these:

  • Stricter auth codes for all generic top-level domains (GTLD)
  • Transfer lock for all generic top-level domains (GTLD)
  • Affected gTLDs are e.g. . com, .net,. org etc.
  • Not affected are country domain (ccTLD) as. de,. uk. . ca etc.
  • Updates are being made from 22. Until 25. May 2018
  • The adjustments are done automatically and you don’t have to do anything!

Why these security changes are made:

Due to the complexity of the GDPR and the resulting consequences, no FOA mails will be sent to generic domains when domains are transferred!

To date, these FOA (form of authorization) mails have been sent to the owner or owners of the WHOIS data. Administrator and he then had to click on a link to confirm the consent of the domain transfer!

Our interpretation of the FOA-mails:

Since the GDPR forbid the storage of personal data in the WHOIS directories in foreign States (organizations) and in particular publicly, the Registries can no longer access these mail addresses! Personal data include First name, surname, Street, postal code, city, telephone, fax and mail addresses

Stricter authorization codes for domain transfer:

By abolishing the FOA-mails, the risk is theoretically greater that unauthorised domains can be transferred away, especially if the auth code was previously chosen too short! An auth code can be seen like a password and these are e.g. Under a length of 7 characters in less than 1 minute crackable!

Even a password, which consists of only digits and is less than 11 characters long, can be hacked below a minute!

Therefore, our customers know that we are also trying to prevent password logins by means of targeted security measures on our servers, as far as it is technically possible!

Additional protection by transfer lock:

For all generic domains, therefore, the transfer locks are also automatically activated, which prevent the outbound transfer of the domains! So far, customers have been able to manually set this domain transfer block via the Web interface for all their domains. For generic domains, these are automatically set and if a customer wants to initiate a domain transfer in the future, he can first remove this transfer block via the Web interface for Domains (MWI)!

For some domain extensions, the removal of the transfer lock is only valid for a certain time and is then automatically reset!

We recommend customers to always set the transfer lock on all domains! This prevents up to the removal of this, in any case an outbound domain transfer!

Further adjustments in the course of GDPR:

In Phase 2 and 3 we will make further adjustments and also inform you about how we process/store your data according to the GDPR!

Further recommendations regarding the implementation of the GDPR:

Soon we will publish further recommendations for website operators regarding the GDPR in the blog!

Leave a Reply

Your email address will not be published. Required fields are marked *