Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

Let's Encrypt certificates make .nl more secure, but also more dependent

Nearly 75 per cent of domain verification certificates in .nl are from a single issuer

Over the last nineteen months, the number of .nl websites secured with SSL/TLS certificates rose by nearly 50 per cent to 1.33 million. Although widespread certification is boosting internet security, it's also apparent that the .nl domain is becoming increasingly dependent on one particular certificate authority. Let's Encrypt is the most widely used and fastest growing issuer of certificates for .nl websites, even though website owners often switch issuers. In this blog, developments are considered by reference to several graphs, which we're publishing today on stats.sidnlabs.nl. Going forward, the graphs will be updated automatically as more measurement data is gathered.

What is a TLS certificate?

Communication between a web browser and a web server can be secured using the Transport Layer Security (TLS) protocol, the successor to the much better known SSL protocol. In order to establish a TLS connection, you need a TLS certificate: an electronic document certifying that a server's cryptographic key material is genuine and is actually linked to the domain name associated with the server. When contact is made, the server sends a TLS certificate to the client (e.g. an internet user's browser). The client uses the certificate to verify the identity of the server and confirm the authenticity of the key it has sent. The client then uses the validated key to encrypt all the data sent to the server. The data can be decrypted only by the server, because no one else has the private key that matches the public key specified in the certificate. All the interaction between client and server is automated; the only evidence of it normally seen by the user is a padlock icon in their browser's address bar.

How do I get a TLS certificate?

A TLS certificate is issued by a Certificate Authority (CA). Browsers trust a large number of CAs – and therefore the certificates they issue – by default. If you've got Firefox, for example, you can check the default trusted CAs by selecting Options > Privacy & Security > View Certificates. Prominent CAs include Let's Encrypt (see below), Comodo and DigiCert. There are various types of TLS certificate, which differ in terms of how the CAs validate certificate applicants' details. Domain validation (DV) is the most common type. With DV, the CA merely checks whether the applicant genuinely has control over the domain name for which a certificate is requested. The other certificate types are organization validation (OV) and extended validation (EV). With those types, the CA validates the applicant's details more thoroughly. Consequently, OV and EV certificates are generally a lot more expensive than DV certificates.

Growing significance of TLS certificates

In recent years, the significance of internet security and privacy has steadily increased. The drivers have included revelations that some governments intercept internet traffic on a large scale. It's also easy for cybercrooks to steal data such as credit card details and logins when people patronise webshops that don't use encryption. In order to protect internet users against such threats, more and more providers now secure their online services by using TLS to encrypt traffic. What's more, the GDPR requires public bodies and companies to protect personal data. It's therefore good practice to get a TLS certificate for any website that processes personal data – which can mean something as 'innocent' as providing a contact form.

Let's Encrypt in .nl

Let's Encrypt is a non-commercial American CA that supplies TLS certificates for domain verification. Its main aim is to make the internet more secure. In the short time since appearing on the scene in April 2016, Let's Encrypt has driven enormous global growth in the use of DV TLS certificates. The explanation is simple: Let's Encrypt supplies certificates for free and offers user-friendly automated application and renewal procedures. Figure 1, taken from our website stats.sidnlabs.nl, shows the current situation in .nl. The great majority of certificates used by .nl sites are issued by Let's Encrypt: nearly 75 per cent of DV certificates and nearly 71 per cent of all TLS certificates come from the CA. The chart is based on all valid certificates detected in February 2020, excluding problematic certificates, such as those that have expired. Another striking feature of Figure 1 is that all but one of the identified CAs are US-based. The single exception is Trust Provider, a relatively small Dutch intermediate CA. However, even their certificates are derived from the DigiCert root certificate.

Figure 1: Overall certificate market shares.

We therefore set out to study the dominance of Let's Encrypt (and other CAs) within .nl over time, and to assess the potential implications.

Measurement methodology

We obtain data such as that presented in Figure 1 by using DMAP, a crawler that we've developed. All 5.9 million .nl domains are scanned on a monthly basis to check a hundred different properties, including website accessibility and supporting CMS. The information is used to maximise the security and stability of the .nl zone, e.g. through our Registrar Scorecard incentive programme. For the purpose of our research, we focused exclusively on TLS certificates and domain names meeting the following criteria:

  • Certificate is not self-signed (untrusted)

  • Certificate subject matches the domain name

  • Certificate is issued by a trusted CA

  • Certificate has not expired or been withdrawn

  • Domain name does not redirect to another domain name

A TLS certificate that does not meet the first four criteria is invalid and therefore untrustworthy and unsuitable for inclusion in our research. We applied the fifth criterion (concerning redirection) to prevent some TLS certificates being counted twice. Application of the five criteria resulted in a set of 1.33 million websites using currently valid TLS certificates. If the criteria had not been applied, our dataset would have covered nearly 3.4 million domain names, most with problematic TLS certificates (e.g. certificates with subject-domain name mismatches). A TLS certificate's issuing CA is named in the certificate's 'Organization' attribute. In order to establish whether a website has switched CAs, we checked whether the 'Organization' attribute had changed between scans. The study described here is based on the monthly DMAP scans made in the period August 2018 to February 2020, inclusive.

Growth of Let's Encrypt in .nl

Figure 2 shows that the total number of .nl websites with valid TLS certificates increased by nearly 50 per cent over the last nineteen months, to just over 1.33 million. Most of the growth was accounted for by more than 355,000 new Let's Encrypt certificates, an increase of nearly 61 per cent. We also detected approaching 89,000 new certificates issued by other CAs, a rise of 29 per cent. By February 2020, Let's Encrypt's share of the overall TLS certificate market was almost 71 per cent. The 1.33 million sites equate to 36 per cent of all reachable websites linked to .nl domain names. The total number of reachable websites – that is sites without redirects, whose response status was 'ok' – was 3.7 million in February 2020.

Figure 2 Use of TLS certificates for .nl websites.

CA switching

Figure 3 shows the number of CA switches over the last nineteen months. The data relates exclusively to DV certificates, since we were interested mainly in the role played by Let's Encrypt, which issues only domain validation certificates. We distinguish three switching scenarios:

  1. Non-LE -> LE A website switches from using a certificate issued by a CA other than Let's Encrypt to one issued by Let's Encrypt. As Figure 3 shows, these switches have been taking place at an average rate of roughly 5,200 a month since the end of 2018. That's exactly what one would expect: website owners taking the opportunity to make the easy change from a bought (and potentially expensive) TLS certificate to a free Let's Encrypt certificate.

  2. LE -> non-LE A website switches from using a certificate issued by Let's Encrypt to one issued by another CA. Figure 3 shows that these switches are a little less common: an average of about 3,700 websites a month made this type of switch. The fact that some site owners choose to switch away from Let's Encrypt suggests that cost is not the only driver of switching. However, we have not investigated what other drivers may be at work.

  3. Non-LE -> non-LE A website switches from using a certificate issued by a CA other than Let's Encrypt to one issued by another non-LE CA. Switches of this type gained popularity in the last twelve months, when they took place at a rate of 5,800 a month. Such switches may involve websites whose hosting arrangements make configuration of a free Let's Encrypt certificate difficult, with the result that less technically knowledgeable site owners are deterred from switching to Let's Encrypt. The owners of such sites are liable to stick with a CA whose certificates are available through their hosting service provider. Furthermore, professional organisations such as banks and government bodies are likely to attach more importance to factors other than cost (branding, reputation, etc) when choosing a CA. A free TLS certificate may not project the right image for websites operated by such organisations.

Figure 3 CA switches.

Bulk certificate changes

A striking feature of Figure 3 is the peak in December 2019, which appears to be attributable to just two bulk changes (see Table 1). The first involved 12,000 domain names that went from "Encryption Everywhere DV TLS CA - G2" to "Encryption Everywhere DV TLS CA - G1". Nearly all the IP addresses of the domains in question belonged to one particular autonomous system (AS), suggesting that a hosting service provider changed the certificates for 12,000 websites under its control.

Old issuer New issuer Number of domain names
Encryption Everywhere DV TLS CA - G2 Encryption Everywhere DV TLS CA - G1 11,795
COMODO RSA Domain Validation Secure Server CA Sectigo RSA Domain Validation Secure Server CA 5,723

Table 1. Two bulk certificate changes involving .nl sites in December 2019.

We weren't able to link the second bulk change (nearly 6,000 domain names) to a particular actor, since various ASs were involved.

Conclusion

Our first longitudinal TLS measurements show that the number of .nl websites using TLS certificates has increased substantially over the last nineteen months. Within that trend, Let's Encrypt was the dominant and fastest-growing certificate authority (CA). Increasing use of TLS certificates is good news for the security of .nl websites. However, the increased dependency on DV TLS certificates issued by a small number of big CAs (including Let's Encrypt) does entail a risk for the .nl zone as a whole. What would happen, for example, if Let's Encrypt were hit by a DigiNotar-style incident, or if the organisation's certificate issuance system went down for a prolonged period? Such scenarios are not implausible, in light of the recent discovery of a bug in Let's Encrypt's issuance system, which affected a large number of domains. The bug may have resulted in more than three million Let's Encrypt certificates being issued in error. Fortunately, only 2.6 per cent of active Let's Encrypt certificates were affected. We believe that a degree of diversity – in terms of CA, jurisdiction and technology – is desirable for large-scale distributed systems.

Further research

What we plan to do next is zoom in on website types (business, webshop, etc) and the associated TLS certificates. Can patterns in the choice of certificate type and CA, or in switching decisions, be explained on the basis of site type differences? We will certainly continue monitoring the use of TLS certificates for .nl websites in the period ahead and making the graphs and supporting aggregated data available on stats.sidnlabs.nl. If you've got a question about the research or its results, feel free to mail maarten.wullink@sidn.nl.

Article by:

Maarten Wullink

Research engineer