By default, each WordPress blog is configured to send the login username and password as plain (unencrypted) text. If a hacker can see what you are sending during your login, they can easily steal your username and password. This can happen if you have a virus installed on your computer. It can also happen if your computer is virus-free but connects via WiFi. If your main computer uses a wireless connection, or if you or other users of your blog ever login with their laptops — blogging from a coffee shop, anyone? — remember that these connections can be insecure, and could be susceptible to revealing your password.

You can protect your blog by installing an “SSL certificate” and configuring WordPress to require secure logins. Your browser will then encrypt your username and password so that no one can intercept them.

Traditionally, only online stores used SSL certificates because they were very expensive. But SSL certificate prices have dropped quite a bit recently, and they’re now low enough that we think SSL certificates should be widely used to protect all logins and other sensitive data.

If you are a Tiger Technologies customer, you can get an SSL certificate for a great price. (One type of certificate, a “self-signed certificate”, is even free if you’re already on our Gold or Platinum hosting plans.) If you’re not a Tiger Technologies customer, you can search for companies selling SSL certificates or search for free self-signed certificates.

Configuring WordPress

Once you have an SSL certificate installed on your site, it’s easy to configure WordPress to use secure logins. Simply add this line anywhere to your wp-config.php file (after the opening “<?php” line):

define('FORCE_SSL_ADMIN', true);

This will ensure that your username and password are submitted to WordPress securely; all of your subsequent work (creating posts, etc) will be secure as well. You’ll see your Web browser’s “padlock” icon when you are using a secure connection. The WordPress “Administration Over SSL” page has more details.

These “invoices” are a scam. Domain Registry of America is unrelated to our company, and has been cited by the FTC for “deceptive conduct”.

If you look closely at the “invoices”, they actually say something like “This notice is not a bill, rather an easy means of payment should you decide to renew your domain with us.” However, that small print is easy to miss.

We have a page about Domain Registry of America scams with much more information. We encourage you to make sure that whoever pays your invoices is aware of it.

I lamented the lack of detailed statistics about how many transfers each registrar rejected. However, it turns out that some of those numbers are actually available right on the ICANN Web site.

Those statistics show exactly how many “outbound” transfers each registrar rejected. Let’s take a look at the May 2009 “.com” statistics for the 5 biggest registrars in the world, keeping in mind that the transfer policy suggests that a transfer should be rejected only in very limited circumstances:

• GoDaddy: 7,855 of 26,475 (29.7% rejected)
• eNom: 262 of 22,724 (1.2% rejected)
• Tucows: 143 of 22,257 (0.6% rejected)
• Network Solutions: 889 of 17,242 (5.2% rejected)
• Melbourne IT: 35 of 37,746 (0.1% rejected)

(Our company didn’t reject any, but we’re much smaller and our numbers aren’t statistically significant.)

You can see that GoDaddy and Network Solutions reject far more transfers than the other three. In fact, GoDaddy rejects transfers at a rate that’s about 300 times higher than Melbourne IT and 50 times higher than Tucows. Network Solutions rejects about 50 times as many as Melbourne IT and 9 times as many as Tucows.

In other words, GoDaddy and Network Solutions are far more likely to say “we’re not going to let you move your domain name” than their large competitors. Remember, the transfer policy says that rejections are reserved for exceptional circumstances — but GoDaddy is rejecting almost 30% of them!

GoDaddy and Network Solutions claim they’re rejecting transfers for security reasons (although they both freely admit that “security reasons” include simple contact updates, even though the ICANN policy expressly forbids this). The actual rate of attempted domain name hijacking is almost certainly just a tiny fraction of one percent. Blocking 30%, or even 5%, is absurd.

The obvious conclusion is that GoDaddy and Network Solutions are intentionally inconveniencing domain name holders to make it difficult to switch to another company, and ICANN is letting them get away with it. (After my last post, I got a couple of “please send us the details” messages from people at ICANN, but nothing has happened since. Anyway, I’ve been sending them examples for years, and they could have done something about it a long time ago if they were interested.)

The fundamental problem is that ICANN doesn’t see itself as a regulatory agency. Some registrars routinely violate this and other policies that they’re contractually required to follow (trust me, you don’t want to hear my rant about the EDDP), but nothing happens to them. Is it any wonder that they continue to take advantage of it?

Most of the Internet does fine without any regulation because users have choice — they aren’t locked in to any particular company. But registrars are different. They need oversight because they’re in a position to prevent their domain name customers from easily exercising that choice.

I don’t have much faith that ICANN will fix this — in fact, part c of the new transfer working group charter suggests that some of the existing rules might be removed instead of being enforced. The very premise of that charter, that a “change of registrant [...] often figures in hijacking cases”, is utter nonsense, no more accurate than “e-mail addresses containing vowels often figure in hijacking cases”. Both statements are literally true but completely irrelevant. A change of registrant can never reliably suggest hijacking, simply because changes of registrant contact information happen all the time and hijackings don’t.

There’s nothing wrong with the existing transfer rules. Companies like Tucows, Melbourne IT and Tiger Technologies honor them every day. What’s needed is for all registrars to play fair.

In the meantime, if you want to have control of your domain name, you might want to avoid GoDaddy and Network Solutions and pick another registrar instead. We’re a fine choice if you don’t mind paying a little more for quality customer service, but there are plenty of other good choices, too.

There’s an obvious potential conflict-of-interest here. An unscrupulous company could easily make more money by rejecting the transfer and forcing the domain name owner to renew it there instead.

Fortunately, this shouldn’t be a problem. ICANN, the organization that controls domain name policy, requires registrars to follow some very specific rules about transfers (here, with an update here). They list nine specific situations in which a transfer can be rejected, explicitly banning other reasons.

For the most part, this prevents arbitrary rejections. However, there are a few registrars that continue to violate the rules. We’ve complained (again and again) to ICANN about this, but they don’t seem interested, so I’ll mention a few problems here.

Register.com is one frustrating company. The ICANN policy clearly prohibits blocking a transfer of a domain name that has expired but not yet been deleted. Despite that, a customer trying to transfer a three-day-expired Register.com domain name told us last week that they flat out refused to give him the necessary code to allow him to transfer — unless he pays them to renew it first. That isn’t the first time we’ve heard this, either.

GoDaddy (and their reseller arm, Wild West Domains) have a different problem. They still block transfers for 60 days after a registrant contact update, even after the ICANN update specifically prohibited doing so. They freely admit it, too. GoDaddy’s Disputes Manager recently told us that blocking transfers for this reason is okay because “It is not necessary to update registrant information in order to transfer a domain name”. That’s irrelevant, of course; domain name owners are legally required to update registrant information whenever it becomes inaccurate, as ICANN’s update makes clear. GoDaddy can’t legitimately block transfers just because someone followed the legal requirement to update their contact information.

We see a similar problem with many transfers from Network Solutions. They often tell their customers that they’ve rejected the transfer “due to potentially suspicious activity in your account”. When customers ask for details, they’re told that the only “suspicious activity” was a recent contact update. Again, this is exactly what the policy prohibits.

GoDaddy and Network Solutions claim they’re protecting registrants by implementing these security measures, as if a recent contact update is a reliable sign of malicious activity. But many registrants update all their contact information just before they transfer their domain name to make sure the transfer approval notices reach their current address. They just don’t think about until then. It’s perfectly normal.

In addition, the “security measures” probably don’t work anyway. Surely by now any competent domain name thief knows not to update the registrant contact until after they’ve transferred the domain name to another registrar, thus bypassing the “security” completely.

While the GoDaddy and NSI efforts almost certainly have blocked some fraudulent transfers, so would a rule saying “you can’t transfer domain names during months that contain an R”. What really matters is how many legitimate transfers are also blocked. We’ve been on the receiving end of many blocked transfers, and we always try to push the other registrar to provide details about the “security problem” — I’ve spent literally days of my time doing this over the last two years. In every single case, the attempted transfer has turned out to be legitimate.

If GoDaddy and NSI wanted to prove they were protecting registrants, they could share some statistics about how many of the blocked transfers eventually get completed later anyway, vs. how many of the blocked transfers result in complaints or actions by registrants to block future transfers (such as authorization code changes) . We’re pretty sure the former vastly outweighs the latter.

Of course, they won’t share those statistics, because that would reveal how many domain name owners they’re inconveniencing. Instead, they’ll just continue to flout the ICANN transfer rules, and ICANN will continue to do nothing.

(Update: we later obtained these statistics, as detailed in a subsequent post.)

Here’s our pledge to our customers: We’ll always abide by the letter and spirit of the ICANN transfer policies. If you want to transfer your Tiger Technologies domain name elsewhere, we’ll help you, not hinder you. In fact, we’re one of the few companies that publicly explains how to do it. We value your business, but we’ll never force you to stay with us against your will.

(And by the way, we’re not ignoring security, either. Every domain name transfer gets reviewed by a real person here, and if we see anything unusual, we’ll send you an e-mail message and/or give you a call to find out what’s really going on.)

The problem is that GMail, Yahoo mail, Hotmail and other free mail services have no real support. If you have trouble, there’s no way to talk to the people running the mail system and ask them about individual messages.

If you send a message from a free mail service and it never appears to arrive at the destination, or if it takes hours or days to arrive, there’s no reasonable way to find out what happened to that message. And if someone’s messages to you are being incorrectly blocked by a spam filter in such a way that they never even make it to a spam folder, you can’t complain and expect a prompt, useful response.

In contrast, if you have a problem with our mail service, we’ll spend the time to find out exactly what happened to a particular message. If there’s a problem, we’ll fix it. If the message was delivered properly but lost on the other end (which is common), we’ll find out exactly where the message went to and give you all the info the recipient needs to get it permanently fixed on their end.

These other companies are seeing a problem (“People take up lots of our time with questions about e-mail”) and choosing the wrong solution (“Let’s figure out a way to stop people complaining to us”). That may be a good solution for them, but it’s not a good solution for you, the customer.

We understand that part of what you’re paying us for is to help you solve problems, with e-mail or any other service we provide. As much as we strive to make things trouble-free, you’ll sometimes have questions. When that happens, our goal is to help you, not to come up with a way to stop you from asking us about it.

If this happens to you, we imagine that you might feel something like this:

We’re introducing a new “We’ll Pay the Ransom” promotion, wherein we will pay Network Solutions the $34.99 necessary to register the domain name for you. Or, if you’ve already paid it, we’ll credit your account $34.99. Either way, just sign up to transfer the domain name to us and a year of our Web hosting.

Or, if you just want to transfer the domain name but not sign up for Web hosting, then you can sign up to transfer the domain name to us and we’ll put it on our watch list. We’ll register the domain on your behalf when Network Solutions releases it, then transfer it over to us.

We have full details available on this page.