.IE Domain Scorecard
At our last Registrar Day at the end of 2022, we introduced the .IE Domain Scorecard, an easy-to-understand metric to evaluate .ie domains and their security capabilities for web, domain and email.
We strongly believe in the need for metrics to provide the understanding and enable the decision-making required to make the Internet in Ireland better. Quoting Peter Drucker – “if you can’t measure it, you can’t improve it”.
On a monthly basis, we use three pieces of software that will do active probing on each active .ie domain, for web content, DNS records and HTTPS settings. The data collected during the probing provides the foundation to build the domain scorecard.
Inspired and influenced by Internet.NL website and Qualys SSL Labs tester, we have picked 28 different metrics that are key to the security of a domain.
|1||Web Security||HTTP Security Score||HTTPS Available||Verifies if the domain has a secure website.|
|2||Web Security||HTTP Security Score||HTTPS Redirect||Verifies if the domain gets redirected to a secure website when visiting the non-secure version.|
|3||Web Security||HTTP Security Score||Strict Transport Security||Verifies if the domain has a valid STS header.|
|4||Web Security||HTTP Security Header Score||Content Security Policy||Verifies if the Content-Security-Policy HTTP header is set and contains acceptable values.|
|5||Web Security||HTTP Security Header Score||X-Frame-Options||Verifies if the X-Frame-Options HTTP header is set and contains acceptable values.|
|6||Web Security||HTTP Security Header Score||Referrer-Policy||Verifies if the Referrer-Policy HTTP header is set and contains acceptable values.|
|7||Web Security||HTTP Security Header Score||X-Content-Type-Options||Verifies if the X-Content-Type-Options HTTP header is set and contains acceptable values.|
|8||Web Security||Certificate Score||Trusted Certificate Chain||Checks if the site certificate can be validated.|
|9||Web Security||Certificate Score||Certificate matches domain||Checks if the site certificate information matches the domain where it’s being used.|
|10||Web Security||Certificate Score||Public Key of Certificate||Checks if the Public Key of the certificate is strong enough.|
|11||Web Security||Certificate Score||Signature Algorithm of Certificate||Checks if the Signature Algorithm in the certificate is strong enough.|
|12||Web Security||TLS Setup Score||TLS Version||Checks if modern TLS versions (TLS 1.2 and 1.3) are enabled and old TLS/SSL versions are disabled (SSL 2.0/3.0 and TLS 1.0/1.1).|
|13||Web Security||TLS Setup Score||TLS compression||Checks if TLS compression is accepted. The practice is not to be accepted.|
|14||Web Security||TLS Setup Score||Secure Renegotiation||Checks if Secure Renegotiation is enabled.|
|15||Web Security||TLS Setup Score||OCSP Stapling|
|16||Web Security||TLS Setup Score||Client Init Renegotiation||Checks if Client Init Renegotiation is disabled.|
|17||Web Security||TLS Setup Score||ECDH Key Exchange||Validates if the Ciphers sets available to use contain strong Key Exchange algorithms.|
|18||Web Security||TLS Setup Score||Cipher Availability||Validates all the sets of Ciphers offered by the server, and scores them based on recommended practices as Deprecated, Acceptable, or Recommended.|
|19||Web Security||TLS Setup Score||Key Exchange Parameters||Verifies the server provides sane Key Exchange Parameters.|
|20||Web Security||CAA Score||CAA record existence||Checks if the domain has one or more valid CAA records, including verifying for valid syntax.|
|21||Domain Security||DNSSEC Score||DS record existence||Verifies the domain has one or more valid DS records.|
|22||Domain Security||DNSSEC Score||DNSKEY record existence||Verifies the domain has one or more valid DNSKEY records.|
|23||Domain Security||DNSSEC Score||DS DNSKEY record matching||Verifies the domain has at least one DS record matching the detected DNSKEY records, and they establish a secure delegation.|
|24||Mail Security||DKIM Score||DKIM record existence||Checks if the domain has one DKIM record, and if it’s syntactically correct.
We use three common DKIM selector patterns to look for this type of record.
|25||Mail Security||DMARC Score||DMARC record existence||Checks if the domain has a DMARC record, and if it’s syntactically correct.|
|26||Mail Security||DMARC Score||DMARC policy||Checks if the domain has a DMARC record with a valid policy.|
|27||Mail Security||SPF Score||SPF record existence||Checks if the domain has a correct SPF record.|
|28||Mail Security||SPF Score||SPF policy||Checks if the domain has an SPF record with a sufficiently strict policy.|
Each of the metrics above will generate a score between 0 (no capability detected) to 100 (capability detected and validated). The domain score is the average of these 28 metrics.
Scorecard example – weare.ie
Let’s use our website weare.ie to show and explain the scorecard. For brevity, we are going to show the 10 score groups, rather than 28 individual metrics.
|CAA Score||100||We have a CAA record in the DNS detailing the list of Certificate Authorities authorized to create certificates for our domain|
|Certificate Score||100||The certificate on our website can be validated and uses a strong public key and signature algorithm.|
|HTTP Security Header Score||50||We enabled half of the required Security Headers.|
|HTTP Security Score||100||Our website uses HTTPS and when a client tries the plain HTTP site, gets redirected to HTTPS.|
|TLS Cipher Score||75||Most of the ciphers offered by our webserver are Acceptable or Recommended.|
|TLS Setup Score||100||We only support TLS 1.2 and TLS 1.3.|
|DNSSEC Score||100||Our domain is properly signed with DNSSEC.|
|DKIM Score||0||We do publish a DKIM record, using a pattern not covered by our probing. This will be soon fixed.|
|DMARC Score||100||DMARC record is set and validated.|
|SPF Score||60||SPF record is set, but we don’t get the full score because our policy is a little bit permissive, which will be fixed soon.|
|Domain Score||84.6||This score is the average of the 28 individual scores, not the group scores above.|
With the right data at hand, and the rules to allocate points, we can produce the scorecard for all .ie domains active during 2022, as there is data available starting from January 2022.
To simplify even more the domain score, we will translate the numeric score into letter grading, using Ireland’s rules below:
- A (excellent) if the score is above 70
- B (very good) if the score is between 60 and 70
- C (good) if the score is above 50 and below 60
- D (satisfactory) if the score is above 45 and below 50
- E (sufficient) if the score is above 40 and below 45
- F (failing) if the score is under 40
Let’s look at the state of security of .ie domains using letter grades.
The plot above shows, using data collected during October 2022, that 53.21% of .ie domains are failing on security when using our scorecard, and only 0.5%, around 1,700 .ie domains, score an A. This is bad news, the measurements we do cover basic security practices for domains, and they are the minimum a domain should have.
Most of the low scoring can be explained by a meagre number of domains using CAA, DNSSEC, DKIM, and DMARC; over 75% of domains fail the HTTP Security Header Score and HTTP Security Score, and over 50% of domains fail SPF and both TLS scores.
Under this reality, we need to dig a little bit more into which domains are failing, as we don’t think all domains are equal and have the same risk profile. Domains can be registered for portfolio building, intellectual property protection, as a placeholder for a business while it’s getting ready to launch, and other motives. Is there a way we can identify and separate domains based on this thinking?
Our data collection, powered with predictive models, allows us to identify which domains have a website that we will call has High Content, meaning it’s a working website, not a placeholder or parked page. On the other hand, we know if a domain possesses MX records, a strong indication the domain is likely to accept email.
The figure above separates .ie domains into four categories:
- Those without a high-content website and no MX records represent 20% of the total, and this group scored 23.5 on average.
- Those without a high-content website but with MX records represent 35.26% of the total, getting an average score of 33.25. We suspect this high number of domains exists due to the automatic provisioning of MX records on registration by hosting providers.
- Those with a high-content website but no MX records represent 7.86% of the total, getting an average score of 39.84.
- Finally, those with high-content websites and MX records represent 36.93% of the total, achieving an average score of 49.94, which is a D.
We clearly can see those domains with no intention of use, score half of those intended for use in the average score, but still, all groups are under the C grade.
A new hypothesis comes to mind, what if we focus on domains based on their popularity, directly derived from user activity?
During this year, our team added a new and rich dataset that can be used to add a whole extra dimension to analysis: DNS traffic. With access to large amounts of DNS queries for .ie domains, we can derive a domain popularity ranking, and select domains based on that ranking. To avoid issues due to the variable nature of DNS activity, we generate the ranking for all domains per day in a month and then use the median ranking to group domains.
Are popular domains, those that are regularly used, more secure?
From the plot above, we focus on two groups: the top 10% most popular on the leftmost side and the bottom 10% most popular on the rightmost size. The top 10% achieve a mean score of 49.62 (D) and a median score of 53.27 (C). On the other side, the bottom 10% most popular achieve a mean score of 25.52 (F) and a median of 19.76 (F). These results allow us to conclude:
- Popular domains appear to use more security features than those rarely used, but in itself their score is not very high, just scratching a C.
- Popular domains have a higher median score compared to the mean, which signifies the scores are skewed to the left, or the lower score values.
- The least popular domains have a higher mean score compared to the median, a clear sign the scores are skewed to the right, or towards the higher scores.
Despite our best efforts, digging into domains in use or popular, the overall scorecard doesn’t go above a C. We had the opportunity to compare the score between Jan 2022 and October 2022 and it’s very similar, showing if no specific action is applied, no change is produced.
How do we make things better?
There are a number of actions that hosting providers or .ie domain holders can do to improve their scoring.
To achieve a B and get into the top 10% of domains, you could:
- Ensure you have a good certificate, detecting and removing self-signed certificates.
- Enable DMARC and SPF.
- Do a good basic HTTPS Setup, following the guides from Qualys SSL Labs or Mozilla. This effort will remove old TLS protocols, increasing the TLS Setup Score.
- Clean up the list of accepted ciphers. The guides mentioned above include advice on this topic.
If you want to get ambitious and aim for an A and get into the top 0.5% of .ie domains, in addition to the actions for a B, you will need to:
- Add a CAA record
- Deploy DNSSEC for your domain
From our point of view, these actions a very achievable.
We have done the groundwork of collecting data, defining rules for scoring and producing a single metric to describe the state of security of a domain name. Once again, we appreciate the work done by Internet.NL because they influenced our policies and provided us with guidance.
Now, knowing where we stand, positive action can be taken to make .ie one of the most secure ccTLDs in the world.
If you want the golden nuggets to share, we conclude, with the October 2022 data:
- The top 10% of the most popular .ie domains get a score of C on average.
- 37% of .ie domains that have a high content website and mail servers, score a C on average.
- Only 10% of .ie domains achieve a B or better.
- Over 50% of .ie domains get an F on their scorecard.
All the above indicates .ie domain holders are lacking in adopting modern security practices for domains.
We will keep the data gathering, and produce the scorecard on a regular basis. In the future we’ll do outreach and communication work, advising the community on how to improve their scores. Stay tuned!
Sebastian Castro is our Data Scientist and leads our data analytics team.