Nominet – The Missing Help Files

Registries

Nominet is a not-for-profit registry for all *.uk domain names (though it should be pointed out that it makes squillions and distributes surplus to charity).

A ‘Registry’ is an organisation that sets policies for the management of  (and maintains a database of ) all the domain names under its jurisdiction.

Clients who wish to register a domain name (‘Registrants’) don’t approach Nominet directly but go through a ‘Registrar’, a commercial company such as Moniker that’s authorised by Nominet to register domain names.

Confusing, huh?

The domain name extensions that Nominet oversees are:

* .co.uk
* .org.uk
* .net.uk
* .ltd.uk
* .plc.uk
* .me.uk
* .sch.uk

When you first register a co.uk domain name your details are automatically passed from your registrar to Nominet. Nominet will then send you an email (to the email address used when registering your domain) that goes something like this:

Thank you for choosing to register a .uk domain name. We are sending you this email to confirm that you now have a new account with us.

Your registrar manages your domain name for you and should be your first point of contact with any queries you may have. Your registrar is:

KEY-SYSTEMS-DE

http://www.Key-Systems.net

If you need the details of your Nominet account they are:

Account Name: Jo Blogs
Contact Name: Jo Blogs
Account Number: 364**773
Account Registrar: KEY-SYSTEMS-DE

Domain names on this account:

********.co.uk
********.co.uk

Personally I junk these emails. The Account Number they’ve sent doesn’t seem much use. Instead it’s the email address that you used to register your domain, perhaps termed the Registrant Contact or the Administrative Contact, that is your means of accessing your account.

To manage your Nominet account first go to Nominet

Log in

At the top right of the screen is a log in link:

Click on that and there’s a screen asking for an email address and password.

Don’t have a password?

You probably (almost certainly) won’t have a password at this stage. You panic. And miss the little line of text above that says, ‘Find out how to access your account’

Click on that link and you’ll get taken to another page where you can fill in the email address used to register your domain. You’ll then get sent (by email) a link to a secure page where you can set your password.

Phew!

Now you’re officially IN!

Email Addresses

There are two important points to note.

• Nominet initially bases everything on the contact email address that you specify when registering your domain name (presumably the admin contact, but I can’t be sure about that). If you register a domain name with a DIFFERENT contact email address then Nominet puts that in a different account, and you have to go through the whole business of setting a password for that account, too. Which can get confusing. If you want to transfer all your domains to one account it costs roughly £15 for the whole lot and is a pain-in-the-neck, jumping-through-hoops procedure.
• It’s possible to set up different user names for one email address once you’re within Nominet. I wouldn’t recommend doing it deliberately, but it’s easy enough to do accidentally. It makes administering your domain names even more awkward. If you have different user names you’ll be presented with something like this (rather confusing) screen when you first log in.

Yes, that shows two different accounts – one in the name of   ‘Some company or other’ and one for ‘Jo Bloggs’, both using the same email address. You have to click on one of the radio buttons to select the appropriate account. Notice that not all domain names are shown in any one account.

Also be aware that if you fail to renew domain names they go into a period of ‘suspension’ before being deleted from your account. During this period each domain name is given its own account. Therefore if you have several domain names due for renewal, when you log in you’ll be faced with a list of radio buttons. Clicking one button will take you to one account set up specifically for that domain name.

You have domain names up for renewal

There are 1 domain names on this account:
DOMAIN NAME
mysite.co.uk

You’ll panic, thinking ‘What happened to the rest of my portfolio of domain names’? Well, what you should have done – silly you – was enter one of your unsuspended domain names from your portfolio into the box at the bottom of the page.

Yes, it’s dreadfully, appallingly confusing.

And it doesn’t get any easier.

There’s no contextual help, the help files are crap anyway, and no one is going to mess around experimenting if they’ve got a portfolio of potentially valuable domain names (in case they make a mistake and lose one or all of them).

Fort Knox?

Once you’re in Fort Knox, what do you see?

Fort Knox?

I joke.

I’m no security expert, but as far as I can see anyone who has access to your emails (a stolen computer) or who can intercept your emails (a local network such as a hotel, an insecure wi-fi network, packet-sniffing) has a fair chance of stealing your domains. Remember that initial screenshot with the text  ‘Lost your password?’ Click on that link, enter your email address and within seconds an email is sent to you with a link that will take the recipient straight into the relevant Nominet account.

Dear Jo Bloggs

NOTE: This email contains important password information.

You have requested a password reset for your access to the Nominet online service, using the email address hello@jobloggs.com.

If you intended to do this, the following link will take you to a page where you can choose your new password. This link will expire in 24 hours.

https://secure.nominet.org.uk/auth/create-password.html?token=qJcTAAAAAW2-5TH

If you do not want to reset your password, please ignore this email and your password will not be changed.

The whole process takes less than a minute. Note that there were no security questions. Note that there was no need to enter the previous password when you changed to a new password.

You now ‘own’ that account.

A malicious intruder could then begin the process of transferring domains to another owner or cancelling the domains and trying to snap them up. The domain I cancelled was available in less than 12 hours. Out of interest here is a quote from Nominet itself:

Currently over 25% of cancelled domain names are re-registered within a day of cancellation, and 7% arere-registered within 10 seconds of cancellation.

And here’s another:

In our experience cancelled names with any measurable popularity are re-registered
within milliseconds of their becoming available.

There are some lame security questions within the bowels of your account (‘Your details / edit your security questions’)  such as ‘What was the name of your first school?’ and some impossible-to-remember security questions such as ‘What was the registration number of your first car?’ but these have absolutely nothing to do with transferring domains out. You don’t need security questions to transfer (or cancel) domains. In any case, once you’re in the account you simply click the big button labelled ‘Clear questions and Answers’ and that gets rid of whatever ‘security questions’ there were.

In other words (as far as I can see) anyone who has access to your emails – from a stolen computer, a compromised computer, an insecure WI Fi network, packet sniffing or a Trojan on a local network (a hotel, a business) – has a very high chance of stealing your domain names. And Nominet is only ever liable to pay out a maximum of £5000 compensation (item 29)

So what you must do is change the main administrative email. Go to Account Settings / Contacts, add a new email address, keep your name as the contact if you wish, and click the  ‘Set Main’ button. You’ll then be sent an email like this:

Thank you for choosing to register a .uk domain name. We are sending you this email to confirm that you now have an account with us.

Your domain name provider manages your domain name for you and should be your first point of contact with any queries you may have. Your provider is:

KEY-SYSTEMS-DE

http://www.Key-Systems.net

If you need the details of your Nominet account they are:

Account Name: Fred Bloogs
Contact Name: Fred
Account Number: 1234567

Domain names on this account:

mydomain.co.uk
thisdomain.co.uk
anotherdomain.co.uk

If you need any help managing your domain names or contacting your domain name provider you can call us on 01865 332244 or email nominet@nominet.org.uk for further advice.

For more information about Nominet UK please visit our website at http://www.nominet.org.uk.

Kind regards,

So now you go and try and log in, and find that you can’t.

And you panic – again.

And then you see this at the top of the page:

If you want to access Online Services for the first time OR if you have forgotten your password …

And so you plug in your new email address, and get the standard Nominet email sending you to a secure page where you can log in (and, of course, anyone who has access to that url within the standard 24 hours  can take control of your account instantly).

Anyway, having logged in, let’s take a look at the menu that’s now visible across the top of the Nominet site, starting with the menu item ‘Account’.

Account

The Account Summary sub-menu is the first thing you see (screenshot below) and allows you to  change various contact details etc.

Most of the other sub-menus allow you to do the same thing (but only one thing at a time e.g. you can change your organisation details, or your address etc.)

The last menu link, ‘Merge Accounts’,  allows you to merge accounts with the same contact email address and with similar (as in identical but misspelt) account names AND that have the same Registrar.

Quote:

A computer calculation is used to determine how similar account names are. If your accounts have different account names you will need to update these details so that the account names are the same before you attempt to merge them. You can do this by logging into online services, selecting the ‘Account’ tab and changing the account name. When your account names are the same you can try merging them again.

Merging accounts means putting everything under one account name. It can involve logging in and out of various accounts and changing each account name BUT this is then reviewed by a member of staff before you get the final go-ahead (which from my experience you won’t get) and so you have to transfer your own domain names to yourself, which is time consuming and awkward, even if it does only cost £15 all in.

Your Domains

Now let’s take a look at the ‘Your Domains’ menu.

Here’s the screenshot.

The Domain List sub-menu takes you to a list of all your domains, with the option to download an electronic certificate for each one.

The Registrar Change sub-menu is the start of the process of moving your domains from a non-cooperative Registrar (reading between the lines ) to the Registrar of your choice. The cost is the standard Nominet cost of all-you-can-eat for approximately £15 i.e. you can move as many domain names as you want for that price. There are at least ten steps in the process

The Registrant Transfer sub-menu begins the transfer of as many domain names as you want to someone else for the usual all-in price of roughly £15.

The Cancel Domains sub-menu is the nuclear option of instantly ridding yourself of domain names (for free).

Your details

The ‘Your Details’ menu is pretty self-explanatory.

You can change the admin contact details from the ‘Summary’ sub-menu (as shown above – ‘You have been assigned the following roles’), including the name and email address, but if you wish to add further contacts you need to use a different email address. It appears that contacts can be assigned roles, though it’s not immediately obvious how to do this – the two roles listed on the Nominet ‘help’ page are ‘Abuse’ and ‘Nominet Support’.

The screenshot below shows the details required when adding a contact.

Secure Messaging

Self-explanatory again – this is where you can send a secure message to Nominet staff.

Dispute Resolution

The dispute resolution menu begins the process of dispute resolution …

Summary

Every website tells a story, just as any store in the offline world tells its own story.

When we go into a store we subconsciously observe the shopfront, the store layout, the number of customers, the interior decor, the products for sale, the way the staff interact with customers and with each other, and we note the ambience, how busy the store is, the rate of change within that store and a host of other things.

Websites have just as many cues. We can note a website’s tone of voice, its level of professionalism, the navigation, the content, what are deemed to be priorities for the site, and we can even find out about traffic flows, backlinks and a ton more.

So what is there to say about the Nominet website?

It’s a clunky, linear, Kafkaesque site. Nothing is smooth, nothing is easy, nothing is obvious, nothing is intuitive. I  dread entering this site and trying to make any alterations to my account, because it feels as though one slip will leave me with two or more accounts, and since everything is so un-intuitive I dread messing up and losing a domain name.

This site is not by any stretch of the imagination Amazon – and yet, surprisingly, the organisation behind it is cash-rich (probably from its monopoly position). They could easily afford to do a lot better. They could get in some information architects and make the flow easier. They could explain their processes more simply.

But they don’t.

Clearly, they’re good-hearted (they give to charity) but they seem to be stuck in a bureaucratic time warp.

Security

Their security worries me. I asked for a password change and an email with a secure url was sent to my home computer. Armed only with that secure url I went to a friend’s house and took control of that account from that computer on a different ISP within seconds.

Literally.

All I did was create a new password.

I wasn’t required to enter an old password.

I then logged into the account using that new password.

And I had complete control of the account.

So if your computer’s stolen, start worrying.

Breaking into a ‘password protected’ PC operating system doesn’t seem to be difficult (try Googling it). A lot of people will have their email client set up to remember passwords since it’s too awkward pasting passwords in throughout the day. And bingo! Whoever stole the computer asks for a password change to be sent to ‘their’ email address and takes control of your Nominet account.

Suggestions for Nominet

• Make a professional website. The graphics look vaguely pretty circa 2004. But it’s not usable.
• Have some professional help files, preferably contextual. Even the biggest corporations are cottoning on to the fact that help files are meant to be easily understood and helpful (uh … not Google).
• Reconsider the whole way domain names are placed into different ‘accounts’ for the slightest reason.
• Drop the financial charges for anything out of the ordinary. This is the age of computers and automation. No  need to charge.
• Allow domain names to be renewed for one year, not two.
• Stop using email addresses as your only security measure. Seriously, stop it. Be grown up and use one proper password for one (just one) proper account.
• Put a hold on any account that has its password changed. Maybe for five days, so no domains can get transferred out. I lost count (literally) of the number of times I changed the password on my account as I tested its so-called security (with complete disbelief). There were no security checks.
• The unlucky user who’s managed to get different domains into different accounts (sigh) is faced with a choice of radio buttons when logging in. Give us a clue. Please. Help us out a little. Why not have popups listing all the domains in each account?

Verdict

Could do better.

A lot better.

3/10.