IE Domain Registry t/a .IE Annual Report 2021

Business and Market Review In 2021, we started to lay the foundations by forming Team Xavier. Our .ie database allows us to provide benchmarks and data on how Ireland is thriving online – in terms of website usage and cybersecurity. Starting in October 2021 we examined the adoption of security standards for email and websites in the .ie namespace. This includes retrieving the main web page for each .ie domain, verifying if it supports HTTPS and other security features, and looking into the DNS for signals of new security practices. This allows us to identify each domain and their capabilities, and potentially, weaknesses. Our plan is to continue doing these collections on a regular basis in order to keep the community informed. In the future, as we enhance the collected data with machine learning, we will use these results to further engage with key stakeholders so as to help drive industry best practice when it comes to the .ie namespace. The results are currently shared with stakeholders in our blogs on our website. In 2021, we shared a deep look into a variety of metrics publicly visible for domains, focusing on web security (HTTPS) and email security. Web Security We have an explorer specially dedicated to detecting HTTPS support, in order to gain a deep understanding of its usage and determine if a domain is using a robust configuration. Apart from checking for support, we validate the certificate received, test for different versions of SSL and TLS, and identify the use of good and weak ciphers, public key certificates and other security features. We have three high-level categories: ▶ Domains not supporting HTTPS, where the probing failed for a number of reasons: DNS error, the server being probed rejected the connection, or timed out, or the security handshake failed. This represents 45% of the domains. ▶ Domains supporting HTTPS, but will eventually fail if a user tries to use it because the domain is using self-signed certificates, or expired certificates. This represents 15% of the domains. ▶ Domains with working HTTPS represent 40% of the domains. For this category, we explore the most relevant Certificate Authorities (CA), with Let’s Encrypt taking the first spot with 51,732 domains or 40.4% of all .ie domains with working HTTPS. That’s a strong market position, and potentially a challenge considering the issues this CA had recently with the expiration of their root certificate. It’s refreshing to discover that most of the domains support modern TLS versions like 1.2 and 1.3, but it’s concerning to observe 40,923 domains supporting TLS 1.0 which was deprecated in March 2020. There are a number of extra web security features that, according to experts, are good to have as they increase the robustness of configuration. Some of these newer recommended settings include; Use Strong Key Exchange; Use OCSP Stapling; Use HSTS; and settings which may be more familiar to readers: ▶ Use CAA (Certificate Authority Authorisation), a DNS record that signals which Certificate Authorities are allowed to issue certificates for the domain. ▶ Use CSP (Content Security Policy), a mechanism that provides a policy to restrict mixed content (secure and insecure). Email security The need for and take-up of email security is a somewhat controversial topic. Our data analytics tools can identify if a .ie domain has enabled a feature that makes email more secure against spoofing. The findings are shared in our blogs. Clearly, there is a need for a global cross community effort in this area. This close look into high-level security features and web usage of .ie domains leaves us with a higher interest in seeing these metrics improve. So far, changes are happening organically and slowly, and security levels of adoption are low. “We are open to sharing our information in detail with our stakeholders to shift the needle towards better outcomes: high adoption of security features in the .ie namespace.” Sebastian Castro Chief Data Scientist, .IE Data analytics and visualisation In Strategy 2024 we set a multi-year strategic objective for .IE to create a centre of excellence in three areas; providing data metrics and data visualisation; providing online self-assessment security tools; and supporting undergraduate applied research on internet-related topics. IE Domain Registry CLG t/a .IE / Annual Report & Review 2021 22