Unveiling Issues: LK Domain Registry’s Website
The importance of the online customer portal provided by the LK Domain Registry cannot be overstated. Accessible via www.nic.lk, it plays a pivotal role for government agencies, semi-private and private establishments (e.g.: IMMIGRATION.GOV.LK, SLT.LK, COMBANK.LK), and other big or small businesses utilizing the “LK” Country Code Top Level Domain. However, it’s unfortunate the portal lacks the necessary security, reliability, and design standards that a mission-critical platform of its kind should possess. In previous posts, I highlighted the concerning state of information security standards in Sri Lanka and discussed frustrating e-commerce websites in the country. In today’s post, I want to address three critical areas where the online customer portal of the LK Domain Registry falls short. I genuinely hope that the relevant authorities will take action to rectify these issues soon.
The Absence of Two-Factor Authentication
When developing a secure website, like an online customer portal, it’s essential to address security aspects on both the server and client sides. For instance, server-side security involves elements like network firewalls, while client-side security includes features such as Two-Factor Authentication (2FA). In today’s threat landscape, 2FA is pivotal in defending online assets from client-side attacks like social engineering, phishing, and brute-force attempts. Notably, the absence of 2FA in the LK Domain Authority portal leaves client accounts vulnerable. If an attacker manages to access a client’s account using stolen credentials, they could swiftly point all the domains within that account to rogue name servers (NS Records) used by malicious websites to host drive-by attack malware. This straightforward method avoids the need for intricate DNS Poisoning techniques, ultimately saving the attacker time and effort.
Note: Indeed, on February 6th, 2021, several users that accessed GOOGLE.LK and some other websites managed by the LK Domain Registry were taken to an L.T.T.E propaganda page. This appeared to be the result of hacktivist actions. The attackers spoofed the DNS records of the affected websites to achieve this redirection. [Full Story]
Unresolved bugs affecting crucial Functions
On the 23rd of this month, I volunteered to clean up a hacked website and subsequently shift it to a more dependable web hosting service. Upon completing the task, I linked the restored site to CloudFlare for the first time. If you’re familiar with CloudFlare, you’re aware that the setup necessitates pointing the NS Records to those specified by CloudFlare’s network, a step I duly followed. The NS Records propagation concluded within a few hours, promptly restoring the site’s functionality. However, upon checking today (29th), I found the site entirely inaccessible, with the likely culprit being the NS Records. Upon investigation, I discovered the NS Records were inexplicably absent. Logging into the relevant LK Domain Registry account revealed that the NS Records had been removed. After promptly reconfiguring them, the site regained operation within a few hours. Presumably, a bug affecting the customer accounts had removed the name server records.
A far cry from industry-standard Web-design
While the NIC.LK customer portal, a website of national importance, boasts a minimalist design, I don’t fault the agency for this choice. Perhaps the focus was on prioritizing performance over aesthetics. Upon inspecting the websites of NIC.IN and SGNIC.SG, counterparts in India and Singapore respectively, I noticed they also follow a minimalistic design approach. However, I cannot overlook the fact that NIC.LK hosts their blog on Blogger. I feel it’s very unprofessional and does not match the overall tone of the website. In my opinion, it comes across as unprofessional and doesn’t align with the website’s overall tone. It’s really out of place; I wish they had either custom-developed the blog section or removed it entirely. It falls significantly below the industry standards of web design, and it’s quite disrespectful to the talented and skilled web developers in Sri Lanka.
Wrap Up
In conclusion, the LK Domain Registry’s online customer portal, though pivotal for various entities, suffers from glaring deficiencies. The absence of Two-Factor Authentication poses security risks, while unresolved bugs undermine functionality. Deviating from industry norms, the incongruous blog section mars the platform’s professionalism. Urgent action is necessary. Addressing security gaps, rectifying technical issues, and adhering to modern design standards are imperative. This would ensure a secure, reliable, and user-friendly environment, upholding the portal’s significance. Authorities must promptly act to exemplify the commitment to excellence and user security. The portal can then genuinely serve as a valuable asset for Sri Lankan government agencies, businesses, and individuals, aligning with the nation’s online objectives.
If you found this content helpful, I kindly ask you to leave your feedback in the comments section below. Sharing it on social media would also be greatly appreciated. In order to promote meaningful and respectful dialogue, I request that you use your full name when commenting. Please note that any comments containing profanity, name-calling, or a disrespectful tone will be deleted. Thank you for your understanding and participation.
The month of April has been a busy time for both cybercriminals and infosec professionals alike. In the 25 days, CONTINUE READING
When the war in Vietnam broke out, the US air force began bombing the Ho Chi Minh Trail, a network CONTINUE READING