> - Your Amazon shopping account and your AWS account should definitely not be the same account.
If you need another reason. I've heard allegations that the recovery process for Amazon shopping accounts and for dedicated AWS accounts are different, with the former being easier to socially engineer.
Probably some risk management department figuring that in the case of the former any "fraud" can be resolved with any chargebacks/refunds
I mean, given how just about all DNSSEC domains are bootstrapped through domain registrar interfaces and their APIs (which have been compromised in attacks before), that might not be the best idea. As a counterpoint I think despite it's flaws that removing any form of certificate/key pinning from browsers was a mistake, rather than learning from said issues (i.e Maybe provisioning pinning of the public keys through an HTTP header isn't the best idea.)
On a related note, pinning the public keys of TLS certificates in browsers used to be a thing (HPKP) and it did mitigate certain classes of attacks with caveats (i.e, let's hijack a domain using an "incompetent" domain registrar and MITM clients that previously visited this site before, happens more than you think[1][2]).
Given how it was configured using HTTP headers and with the average site that has buggy webapps and such that could be used for header "injection" independent of the webserver it was unfortunately considered a theoretical persistent DoS vector, and thus removed from browsers.
I'm not convinced other solutions (CAA, CT) are adequate replacements because it best, they are reactive (versus preventative) solutions, and CAA assumes all CA's are properly checking DNS records at the time of issuance and that those DNS queries are not being intercepted, which is a big assumption in my book.
I know NetSol in theory supports registry lock, but last time I checked they want >$1000/year for it, and it's kind of shitty they don't offer robust access controls internally so you end up paying for it (and other registrars offer registry lock (and hopefully competent 2FA on top of that!) in the ~$500/year range)
I believe Namecheap only offers registrar lock (clientUpdateProhibited), not registry (serverUpdateProhibited). There are very few registrars that offer registry lock and they're all "enterprise", probably because the relationship required for registry unlock protocols to work doesn't scale with retail customers.
Off the top of my head: NetSol, MarkMonitor, CSC, maybe Cloudflare. There are more that will do it for specific ccTLDS (.ca has lots, for example).
Pairdomains (pairdomains.com) offers it for $0.00/year.
But…be absolutely, 100%, certain that the information contained in the registry record is 100% accurate for name of registering organization and contact information. Because the process to unlock can be quite…difficult if the information is slightly off.
pairdomains.com doesn't have serverUpdateProhibited, which is the "registry lock" protection. The reason why it costs money is because I believe it involves the registrant, registrar and registry coordinating a manual unlock out of band, so in theory if the registrar-registry API is compromised, you're still be protected.
My now-defunct u2f-hidraw-policy package did this in a generic manner. The code was subsequently ported into the upstream udev code, so any up to date distro should automatically detect and handle U2F devices. If they don’t, file an issue with upstream systemd and it’ll get fixed. Feel free to file an issue on u2f-hidraw-policy too if you want my attention.
How many hoops do you need to jump through (as a small to medium size company), to get an account at MarkMonitor, CSC or another one of those "brand protection" companies?
Over the past 5 or so years I have noticed "previously safe" registrars (in terms of resistance to false abuse/DMCA complaints or social engineering attacks) get acquired by larger corporate interests and sometimes have a drop in quality as a result. MarkMonitor was acquired by a venture capital firm a few years ago as well. Good to have backup options on the table.
(Before you ask. I am aware of the added costs of such services, and I don't have much faith in consumer registrars anymore.)
Enough hoops that it’s a pain but not so many I wouldn’t recommend it. You want your domain management behind a door with a sign that says “beware of the leopard.”
There are no great registrars, just registrars that suck less. I recommend Godaddy to no one.
checking whois for each of those domains, my first thought is I sure hope Key-Systems didn't get owned :|
EDIT: On a sidenote:If this[1] is true, looks like the attacker may have compromised another registrar that perl.com used (Network Solutions), moved domain to another registrar, than KS. Still a big concern though
If you need another reason. I've heard allegations that the recovery process for Amazon shopping accounts and for dedicated AWS accounts are different, with the former being easier to socially engineer.
Probably some risk management department figuring that in the case of the former any "fraud" can be resolved with any chargebacks/refunds