Visualizing the Security Benefits of the Losing FOA for Domain Name Transfers

I’ve written extensively about the security implications of the “Losing FOA” step of domain name transfers. It’s the opportunity for registrants to “ACK” or “NACK” a pending transfer, before it completes. I wrote about this again yesterday,  and that post linked to all prior writings.

I wanted to give readers direct visual evidence of why the Losing FOA is so important as a security mechanism, so I intiated a transfer of a domain name from my company’s portfolio at Tucows/OpenSRS to GoDaddy. After I input the transfer code (currently called the “AuthInfo Code”, but it will be renamed the “Transfer Authorization Code” or “TAC”) at GoDaddy, Tucows/OpenSRS sent me (as registrant) an email, with a link to a page that would allow me to immediately approve the transfer (i.e. “ACK” it), or to reject the transfer (“NAK” it). Here’s a screenshot:

Example of OpenSRS Losing FOA page, allowing registrants to accept or reject an outgoing transfer request
Example of OpenSRS Losing FOA page, allowing registrants to accept or reject an outgoing transfer request

As you can clearly see, the page contains text saying:

The domain name listed above will be transferred to:

New Registrar
GoDaddy.com, Inc.

and gives me the opportunity to accept the transfer, or decline it (I’ve just left things in a pending state for now; I’ll perhaps “ACK” the transfer in a few days).

Continue reading “Visualizing the Security Benefits of the Losing FOA for Domain Name Transfers”