In 2013, hackers gained access to The New York Times’ domain registrar account and changed its nameservers — effectively taking control of one of the world’s most trusted news domains.
It was a breach that could have been prevented with Verisign’s Registry Lock, a service that adds a critical layer of protection to domain names by requiring manual verification before any DNS or ownership changes can be made. After the attack, The New York Times enabled Registry Lock — but many other high-traffic sites still haven’t.
What Registry Lock Does
Registry Lock prevents unauthorized updates by requiring additional confirmation between a registrar and the registry(e.g., Verisign) before any domain modification is approved. This can stop hijacks that compromise an organization’s web presence, brand, or email systems.
The Study: How Secure Are the Top 100 Domains?
Analyzing Cloudflare’s Top 100 Domains over the past 12 weeks, I reviewed WHOIS data to identify which domains use Registry Lock. The telltale indicators were:
-
ServerDeleteProhibited -
ServerTransferProhibited -
ServerUpdateProhibited
After excluding non-Verisign-managed TLDs (like .net, .org, etc.), 89 domains remained for analysis.
The result:
✅ 62 of 89 domains — or 70% — use Registry Lock
Key Findings
-
Google controls over 10 of the top 100 domains, and while most are protected, some key domains like googletagmanager.com lack Registry Lock.
-
TikTok is one of the most prominent companies without Registry Lock on its domains.
-
Several major ad networks, including Taboola and PubMatic, also lack protection — exposing them to potential hijacking that could disrupt online advertising at scale.
-
Some core infrastructure domains (like those used for content delivery, analytics, or authentication) are unprotected even though they don’t host traditional websites. These are arguably even more critical to secure.
Examples of Protected vs. Unprotected Domains
| Domain | Registry Lock? |
|---|---|
| google.com | ✅ Yes |
| tiktokcdn.com | ❌ No |
| facebook.com | ✅ Yes |
| pubmatic.com | ❌ No |
| amazon.com | ✅ Yes |
| googletagmanager.com | ❌ No |
| microsoft.com | ✅ Yes |
| samsung.com | ❌ No |
| youtube.com | ✅ Yes |
| taboola.com | ❌ No |
(Full list available below.)
Why It Matters
Registry Lock is low-cost insurance for businesses that rely on domain stability. Without it, even a temporary hijack can disrupt services, redirect users, or damage brand reputation.
As the Times incident showed, many companies only act after a security breach. With attacks becoming more sophisticated, Registry Lock should be standard practice for any organization managing high-value or high-traffic domains.
OMWEB Take:
Despite widespread awareness, 30% of top global domains remain vulnerable to hijacking that Registry Lock could prevent. As digital assets grow in importance, expect more registrars — and clients — to make this extra layer of domain protection a default security measure.