----- Original Message ----- From: "WebWiz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, November 20, 2000 4:33 PM Subject: Re: Is DD script possibly more secure than RSP scripts? > I suspect that DD is maintaining its own internal database of usernames and > passwords, and validating against this before the auth request is passed on > to OpenSRS. You can do the same if you wish to build the code. Actually, Domain Direct Customers have a completely seperate password (unrelated to the OpenSRS username or Password) in order to login to a User Control Panel. Once logged into the Control Panel (where they can set up email accounts and the like) they can click on an icon which takes them to a seperate login to the manage.cgi. Here they must enter their OpenSRS username and password. Yes, as Chuck mentioned, Domain Direct customers who have an OpenSRS registered domain name (there are some whose Registrar is NetSol, Register.com et al.) can log into some Resellers site (assuming that it is a direct link to the manage.cgi) but then again, so can ANY OpenSRS registered domain name. I don't know how Domain Direct is more restrictive per se. Customers have a seperate login for the account features and an identical "jump point" to the manage.cgi. The short answer to the subject of the email is no. Regards, Chris Bolton > > I'm not sure I see how this is a security problem, though, as it only means > that someone with the username and password for a domain can make changes > (whether they pass through your site or mine, they've not gained any access > that they wouldn't already have with the username/password). Point being, > just because DD is *MORE* restrictive than the default doesn't mean that the > default is deficient. > > Regards, > Eric Longman > Atl-Connect Internet Services > > +-------------------------------------------------------+ > | Atl-Connect Internet Services http://www.atlcon.net | > | 3600 Dallas Hwy Ste 230-288 770 590-0888 | > | Marietta, GA 30064-1685 [EMAIL PROTECTED] | > +-------------------------------------------------------+ > ----- Original Message ----- > From: "A. I. Sinclair" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, November 20, 2000 4:10 PM > Subject: Is DD script possibly more secure than RSP scripts? > > > A difference in RSP scripts vs Domain Direct scripts was previously raised > and addressed. > > I stumbled across another which may or may not be regarded as a security > issue, but I know I am not too comfortable with it. > > In essence a user with a domain registered with Tucows through an RSP, can > use another RSP's site to log into the system and maintain their domain. > > So although someone is not your customer, they can still log into your site > hmmmm..... > > By contrast a user, cannot log into Domain Direct. However, I am not sure if > the reverse is possible, i.e. if a user who registered with Domain Direct > can log into an RSP's site. > > Of course I did not try any hanky-panky and not sure if it is even possible, > but then there are those (and I don't mean RSP's) who might get up to some > mischief. > > ais > > >
