after updating contact information, 'resetting' the 60 day no-transfer-out rule
I feel dirty saying this, but I'm with GoDaddy on this one. It might be a violation of ICANN regulations, but it's also a really important step for protecting against domain hijacking.
Nothing good ever came from Godaddy and nothing good ever will come from Godaddy.
This "feature" didn't do anything to prevent the theft of css-tricks.com[1] and other domains, because why should someone who wants to steal a domain first change the contact information. Two-factor authentication would provide real protection, but that is $25/year at Godaddy.[2] It's like mobile phone carriers: They have the technical means to block stolen phones from ever accessing the network again, but why would they do that, since every stolen phone equals a new sale?
No other registrar feels it's necessary to impose a 60-day lockout. Perhaps it adds the feeling of a tiny amount of extra "security" to an already secure process - but 60 days is ridiculous.
There is no way to shortcut this procedure if you are the legitimate domain owner. If you use a privacy guard to avoid publishing your name/address, then you will run into this issue:
You aren't allowed to transfer your domain away while the privacy guard is in effect, so you'll need to change your contact information. Bam! This triggers the instant 60-day lockout, during which time your full contact information is visible.
Domain registrars have a long history of making transfers hard. Godaddy isn't the only registrar to do stuff like the 60 day lock. I just wrote up a piece on my blog yesterday about this very subject - http://www.byte.org/2011/12/26/evolving-the-domain-experienc...
As I recall, they also had a history of tricking people into updating their contact information shortly before the name in question was due to expire, forcing the owner to stay with GoDaddy.
I really disagree, as someone who has done domain names professionally for almost a decade. How many registrants are going to notice their whois info changed? Nothing changes with whois info in terms of functionality. 60 days, no big deal.
Besides, if I already have your account compromised, I probably have your email, that's how they are linked in the first place. It wouldn't be too hard in most systems to just initiate the transfer and hide that info from the user, or simply lock them out of their email. You think their domain registrar is the first place they will call when their email stops working? HELL NO. They have bigger concerns.
They are using a special email address for whois stuff? How often you think they check that? Most people, not all that often. If I didn't subscribe to updates on my whois info from a third party, I wouldn't notice either, and it's my damn job.
We can't implement mindless policies to 'protect' people from themselves unless there are real tangible benefits to it and it's not simply self-serving. Of the major registrars, GoDaddy is the only one I know of implementing this policy and they've been hijacked numerous times. Their whois privacy even had a hole in it for years that is now fixed. It's not stopping the hijackings. Other registrars without that policy have better track records preventing domain hijackings.
I got screwed by this rule once, when a guy who was supposed to transfer a domain to me naively changed the contact info before trying to transfer it. It was infuriating, but I came to this same conclusion. It doesn't appear to be malicious, and I can see it really helping some people out.
I'm not surprised in the slightest that they're doing it again.