Six months of .ie exploration

.ie domains
Cybersecurity
Data analytics
by Sebastian Castro
11 May 2022

In October 2021 we started our work to understand the .ie namespace better by exploring the domains in the register. This includes retrieving the main web page for each domain, verifying if it supports HTTPS and other security features, and looking into the DNS for new records.

Since then, on a monthly basis, we have collected this data and enhanced it with some machine learning.

Let’s take a look at how .ie has changed in the last six months.

Registrations and web usage

Back in October 2021, there were 322,641 domains to explore, compared to March 2022 when 329,041 domains were scanned. This represents a growth of 1.98% in six months.

We try to fetch the main page of each domain, to discover if there is one, but also predict what type of content is set for the page following CENTR’s definition for low content sites. When you try to get a web page, a few things can go wrong, for example:

  • There is no address for a website
  • There is an IP address, but it can’t be reached
  • The website is not properly configured for the domain

In the end, we can categorise the web usage of a domain as follows:

  1. Unknown: No web page was fetched, due to a variety of errors explained above
  2. Not used: The page obtained represents a default web page for a specific type of software
  3. Blocked: The page indicates this is a suspended account
  4. Parked: Holding page was returned
  5. Upcoming: Under construction or CMS default page
  6. High Content: The page has some content, it doesn’t match any of the low content categories above

This is how it looks visually.

We can observe a couple of small variations, like a decline in the percentage of High Content sites, mainly explained by domain loss and existing sites deactivating their content, and small increases in Parked and Not Used categories.

When retrieving a page, not only does the content that the users see come with it, but also headers are included that help the browser make decisions. We can benefit from this hidden information and other signals in the page to identify the Content Management System (CMS) used to publish the page.

WordPress has a predominant market share within .ie, with 23.37% of sites built with it, although that market share shrunk a bit in the last six months. During the same period, Wix’s market share almost doubled, from 1.3% to 2.4%. Changes can be explained by the normal domain life cycle, where domains are deleted and registered. In particular, during this period, proportionately more new domains started using Wix, and a higher rate of deleted domains were using WordPress.

Secure websites

We have an explorer specially dedicated to detecting HTTPS support, in order to gain a deep understanding of its usage and determine if a domain is using a robust configuration. Apart from checking for support, we validate the certificate received, test for different versions of the protocol, and identify the use of good and weak ciphers, public key certificates and other security features. We reported on this extensively in a previous blog post: A first peek into .ie security status.

For each domain name, we provide four states:

No HTTPS: attempts to connect to a secure website failed for a variety of reasons.

  • DNS Error indicates we couldn’t find an address for the website
  • Connection time out indicates we tried to connect the address published in the DNS, but it didn’t reach the server
  • Server rejected the connection indicating we could talk to the website, but no secure service was available

Working HTTPS: the attempt to talk to the secure website was successful.

  • Here we report on which Certificate Authority generated the certificate for the site

Invalid Certificate: the attempt to talk to the secure website was successful, but the certificate offered couldn’t be validated.

  • Self-signed certificate indicates a public secure website using a certificate generated by their own organisation
  • Self-signed certificate authority indicates there is a CA in the certificate chain that can’t be validated

Expired Certificate: the attempt to talk to the secure website was successful, but the certificate has expired.

The slight increase in No HTTPS can be explained by the domain life cycle. Most of the new domains gained in the period don’t have a secure website, and this increase outmatches the number of domains that left the register with a secure website. Also, there were a few changes in domains that stayed registered but where their website moved from Working HTTPS to No HTTPS.

During probing, we checked if a domain supports more than one secure protocol, from the old SSL 2.0 to TLS 1.3. It’s good practice not to support SSL 2.0, SSL 3.0 and TLS 1.0 as they are considered deprecated. Instead, all sites should preferably use TLS 1.3 or TLS 1.2. Let’s see how things have changed in the last six months.

If we were to describe the situation with a scorecard, the .ie namespace will be evaluated as follows:

  • No domains supporting SSL 2.0. Score: failed, there are a handful of domains with it enabled
  • No domains supporting SSL 3.0. Score: failed, the same as the point above
  • TLS 1.0 is progressively disabled. Score: failed, we observe a growth of almost 4%
  • TLS 1.3 is progressively enabled. Score: pass, support grew by 3%, higher than the organic registry growth
  • TLS 1.2 is supported on all domains. Score: almost pass, as there are a handful of domains where the best protocol is not TLS 1.2

Our namespace is failing this test, we definitely need to do better as a community and adopt solid TLS practices for secure websites.

Other web security features

There are a number of extra web security features that, according to experts, are good to have as they increase the robustness of configuration. Let’s revisit these newer recommended settings:

  • Use Strong Key Exchange, where the recommendation is to use ECDH Exchanges
  • Use OCSP Stapling, an extension to OCSP Protocol where the server delivers information about the certificate revocation status
  • Use HSTS (HTTP Strict Transport Security), where the webserver indicates to a browser using this header that any insecure communication won’t be allowed
  • Use CAA (Certificate Authority Authorization), a DNS record that signals which Certificate Authorities are allowed to issue certificates for the domain
  • Use CSP (Content Security Policy), a mechanism that provides a policy to restrict mixed content (secure and insecure)

In the past six months, we can see tiny increases that can be mainly explained by organic growth. There is no intention or effort to improve things, other than the 4% increase in HSTS that can be explained by a number of existing domains enabling their websites and also domains changing web hosting providers.

Email security

As part of our previous blog, we used the DNS to discover if domains are using email security features. As a quick recap, this is what we look for:

  • SPF records, when present, help prevent others from spoofing your domain’s email
  • DKIM record, when present, helps the detection of email forgery
  • DMARC record, jointly with SPF and DKIM, allows the owner of a domain to be aware if forgery or spoofing has been attempted
  • MTA-STS, is a relatively new standard to signal the use of secure connections with TLS between mail servers

Definitely, a domain can have one without having the other. They all provide different levels of risk reduction, so let’s take a look at how the presence of those records has changed in this study period.

The largest change is the increase in support for SPF, which upon inspection, can be explained mainly by new domains registered in that period having the feature set, and a few thousand domains enabling it as well.

We’d like to offer you a different perspective on this data. Overall, 48% of .ie domains have SPF, but if we start counting domains that have just SPF, SPF and DMARC, and SPF with DMARC and DKIM, the numbers drop significantly.

Using the data for March 2022, this funnel plot can be explained as follows:

  • 35.28% of .ie domains ONLY have SPF
  • 3.01% of .ie domains have SPF and DMARC setup at the same time
  • 0.82% of .ie domains have SPF, DMARC and DKIM
  • There is a hidden 10.63% of .ie domains having both SPF and DKIM, but no DMARC

Ideally, we would like to see a higher than 0.82% of .ie domains using all three technologies. It seems clear domains tend to follow the first law of Newton: A force needs to be applied to change their inertia.

Epilogue

This close look into high-level security features and web usage of .ie domains leaves us with a higher interest in seeing these metrics improve. So far, changes are happening organically and slowly, and security levels of adoption are low. We are open to sharing this information in detail with our stakeholders to shift the needle towards better outcomes: high adoption of security features in the .ie namespace.

Read more about the range of critical services we do which underpin the .ie namespace – Technical Services 

Sebastian Castro is our Data Scientist and leads our data analytics team.