Domainz (unsurprisingly) provide services around Domain name registration and renewals here in NZ. I have nothing against Domainz, other than the fact that they sell themselves as “The Kiwi Webexperts”.
I personally don’t use Domainz for any of the hundreds of domains I own, however some of my customers have, so I’m often forced to use their customer portal.
There’s 2 main issues I have:
The customer portal doesn’t actually allow you to do anything useful
When ‘managing’ a domain, there’s basically 2 options. “Redirect to an Existing Website” where you can enter a single IP address, and “Forward All Domain Mail to Another Email Account“. Want to specify multiple MX records so you can have a proper shot at some email redundancy? Nope, email customer support. Want to add some subdomains? Nope, email customer support. Basically anything useful and you need to email customer support.
I’m not even going to touch on the usability issues with the way the login forces a modal popup which then spans another window after login, or how some domains aren’t listed in some areas for various reasons. At least they’re performing password changes over https, although you might not see that, because the site uses framesets and so the main address stays as http even through the change password frame’s content is loaded securely.
Anyway, once you’ve emailed customer support, you get to point #2:
Their security practices are a complete joke
After emailing customer support requesting to make changes that we should be able to make ourselves, we get this:
As a method of verification I will need your Name Holder ID password to verify you to make these changes.
Could you please reply back with the password in order for me to make these changes.
How the hell is this still acceptable? Ownership and management of domains is a pretty important part of the identity of a business, and it’s certainly an easy attack vector against any company, so you want to protect them. However Domainz “The Kiwi Webexperts” are forcing you to send them your password via clear text as a method of verification. Seriously? In 2012?
The next question is whether this means that the passwords are stored in clear text their end, so they can compare them visually, or whether they login to your account as you would in order to ensure “Yep this person has access”. Option 2 is slightly less terrifying than option 1, however both options are pretty pathetic from a security/process standpoint.
I should note that the Customer Service people are usually pretty friendly, and this is nothing against them, but more against the systems that the company has in place.
Bottom line, if you’re looking to register some domains, I suggest looking at a provider who takes your security seriously, and is willing to give you the tools to make your life easier – although to be fair there’s a lot of terrible domain management sites out there. I’m not going to mention any names, however I’m pretty happy with the providers I use, so if you want an opinion then feel free to flick me a line.
Domainz, seriously, sort your site out and improve your security.