The terror that is the Domainz NZ website

Domainz (unsurprisingly)  provide services around Domain name registration and renewals here in NZ. I have nothing against Domainz, other than the fact that they sell themselves as “The Kiwi Webexperts”.

I personally don’t use Domainz for any of the hundreds of domains I own, however some of my customers have, so I’m often forced to use their customer portal.

There’s 2 main issues I have:

The customer portal doesn’t actually allow you to do anything useful

When ‘managing’ a domain, there’s basically 2 options. “Redirect to an Existing Website” where you can enter a single IP address, and “Forward All Domain Mail to Another Email Account“.  Want to specify multiple MX records so you can have a proper shot at some email redundancy? Nope, email customer support. Want to add some subdomains? Nope, email customer support. Basically anything useful and you need to email customer support.

I’m not even going to touch on the usability issues with the way the login forces a modal popup which then spans another window after login, or how some domains aren’t listed in some areas for various reasons. At least they’re performing password changes over https, although you might not see that, because the site uses framesets and so the main address stays as http even through the change password frame’s content is loaded securely.

Anyway, once you’ve emailed customer support, you get to point #2:

 

Their security practices are a complete joke

After emailing customer support requesting to make changes that we should be able to make ourselves, we get this:

As a method of verification I will need your Name Holder ID password to verify you to make these changes.
 
Could you please reply back with the password in order for me to make these changes.

How the hell is this still acceptable? Ownership and management of domains is a pretty important part of the identity of a business, and it’s certainly an easy attack vector against any company, so you want to protect them. However Domainz “The Kiwi Webexperts” are forcing you to send them your password via clear text as a method of verification. Seriously? In 2012?

The next question is whether this means that the passwords are stored in clear text their end, so they can compare them visually, or whether they login to your account as you would in order to ensure “Yep this person has access”. Option 2 is slightly less terrifying than option 1, however both options are pretty pathetic from a security/process standpoint.

I should note that the Customer Service people are usually pretty friendly, and this is nothing against them, but more against the systems that the company has in place.

Bottom line, if you’re looking to register some domains, I suggest looking at a provider who takes your security seriously, and is willing to give you the tools to make your life easier – although to be fair there’s a lot of terrible domain management sites out there. I’m not going to mention any names, however I’m pretty happy with the providers I use, so if you want an opinion then feel free to flick me a line.

Domainz, seriously, sort your site out and improve your security.

Posted on Friday, June 1, 2012 12:03 PM |

Like this? Share it!

  • # re: The terror that is the Domainz NZ website
    Gravatar
    Commented on 7/7/2012 4:44 PM

    Hi Ross
    I have a domain registered via domainz that is being used for a website on hostgator web hosting.
    I want to get the email working so I can use the domain for emails.
    Hostgator say that the email won't work at the moment because domainz are blocking emails using this domain.
    Do you know if this is domainz normal practice?
    I wrote an email to domainz asking about this a few days ago and have not heard anything back so far.
    In their setup all I can do is forward to all emails using the domain to a single email - not very useful.
    Thanks in advance
    Paul

  • # re: The terror that is the Domainz NZ website
    Gravatar
    Commented on 7/8/2012 5:37 PM

    Hi Paul,

    I don't think they're blocking email, but their website certainly doesn't let you do any of what you need to in order to get email running properly.

    In my experience Domainz will respond to you eventually, at which point you can feed them the MX record information required to get you up and running.

    (until you need to change something, in which case you have to go through this all over again :D)

    Good luck :)

  • # re: The terror that is the Domainz NZ website
    Gravatar
    Commented on 7/31/2012 7:54 AM

    Having just recovered my password with them so I can transfer a domain away I can say that passwords are stored in plain text, as they were able to send it to me in an email.

Post a comment
Please add 2 and 6 and type the answer here:
Remember me?
Ensure the word in this box says 'orange':