Date: 2005-10-31 07:23:00
Tags: web
domain hijacking
I recently transferred some domain names from to The way you do this is to go to the new registrar (, enter all the domain info, pay for one additional year, and they do all the work of transferring the domain name from the old registrar ( sent me some emails during the transfer process to notify me that a requested transfer was taking place, and to go to an indicated URL if the transfer request was not correct. Not! What on earth are they thinking? I did nothing (as indicated) and the transfer request was successful. Anybody could have hijacked my domain names out from under me, if I had not seen the domain transfer emails. Now, supports locking the registration record so that this can't happen again.

For .org domains, transferring a domain requires a code called EPP or something that you get from your old registrar. So I had to log in to my account to get that code. But .com and .net require no such thing. Remember who runs .com and .net? Verisign! They continue to be evil by default.
after the domain hijacking, i think a few registrars enabled domain locking for all their customers. IIRC, this is something you can do with any registrar anyway, some of them just don't enable it by default (lord knows why not).

but, yes, it is quite silly how easy it is to transfer a domain without authorisation.
2005-10-31T16:57:12Z supports domain locking, but there just isn't any webpage with a control to do it. You have you open a support ticket and ask the tech person to enable the lock for you.
Note that .org runs on PostgreSQL, too. :)
Greg Hewgill <>