> Are you keeping OpenSRS passwords in your database, or merely passing them
> through your "glue logic"? If you are storing them, I submit that this is
> the sort of security problem that OpenSRS should most be worried about -
> RSP's that store customers' OpenSRS password in their own databases.
>
> A far too probable scenario: Someone hacks into a prominent open RSP
> reseller and steels OpenSRS passwords (very possibly without the reseller
> being aware that he was hacked). Then, just for grins, the intruder
screws
> with, or hijacks hundreds or even thousands of domain registrations.
Short
> of having the OpenSRS internal database hacked, this would have to be one
of
> their worst nightmares. If it's not already, I think this type of
reseller
> "security" system should be forbidden in the reseller agreement.
If someone hacks your computer where you run your registering stuff, it
doesn't matter anyway. The hacker just puts a few lines in your client code,
which stores the info which is emailed to the hacker for example.
But imagine CC processing. If you have a merchant account, you are probably
given an URL through which the CC processing is done. It is NOT going
through your server. However, the OpenSRS system is now doing the opposit:
the CGI-s run on YOUR computer, they go through your computer, your network,
you connect to the OpenSRS servers. You cannot avoid this! You, as a
reseller CAN see all data without much effort. It would be hard to forbid
the access of these data... it would be something like "I will tell now who
killed Kenedy, but do not listen to what I say - sign here: 'I will not
listen'...".
BTW, many of our clients do forget their passwords :-) At least 10%. And
interestingly enough, about another 10% SENDS US THEIR PASSWORDS when they
cannot modify something so that "let you guys please do it for me, I am not
an expert"... No comment.
- Cs.
