Yes... Makes sense. However, there is an obviously solution: Our company policy is to change *ALL* passwords a given employee has access to when an employee leaves. This prevents an x-employee from abusing this level of access.
Lets face it, email verification is hardly any more secure, since a departed employee can take the username/password for the mailbox and access it remotely as well, right? The vast majority of companies do not run their own mail servers, and those large enough to run an in-house mail server often have remote access to the mailboxes enabled anyway. Next, we've got fax. Personally, I release passwords based on a faxed request on a fairly regular basis. It's not secure, any idiot can forge a fax and unless I (As an ISP/whatever) have a valid fax and signature to compare it against, there is no way to validate it's authenticity. IMO, the username and password method is probably the most secure, SSL encryption can and is used to protect the management page at OpenSRS, as it can be changed (Faxes can be forged and there is nothing the victim company can do about it). Email verification is relatively secure, however it leaves the relevant information in plain text, and it introduces another point of failure, the ISP in question. If you can compromise the email box (Convincing someone at the ISP to release the password, via fax or phone call), then you own any resources which are "protected" by email verification. I wouldn't mind seeing email verification of requested changes, but the can of worms that opens up on the support side (Recovering lost email addresses AND lost username/passwords) means that it's probably not worth it. ----- Original Message ----- From: "Newfield Nethost" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Saturday, December 01, 2001 7:02 PM Subject: Re: domain stolen from bulkregister to opensrs > I'm afraid you've misinterpreted my comments.. > My point being that, although the user/pass ARE verified prior to logging into > opensrs, there are NO verification procedure in place to transfer ownership, > so, a former employee who still retained access, or a hacker, who may have > gotten in, can "steal" the domain name as happened to the one who originally > posted this question, OK? > > There is no backup authority required, either by fax, or snail. The person who > logs in can change the ownership data, and submit and propagate in real time. > OK? > tom > > > ----- Original Message ----- > From: "Dave Warren" <[EMAIL PROTECTED]> > To: "Newfield Nethost" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Saturday, December 01, 2001 2:06 AM > Subject: Re: domain stolen from bulkregister to opensrs > > > | So OpenSRS doesn't check username/password at all? I tried to change > | contact information on my domains a few days ago, just a routine phone > | number update, and the management interface rudely demanded a password > | before it would let me make changes. > | > | Should I take this personally? > | > | What would you have OpenSRS do? > | > | ----- Original Message ----- > | From: "Newfield Nethost" <[EMAIL PROTECTED]> > | To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > | Sent: Thursday, November 29, 2001 9:46 AM > | Subject: Re: domain stolen from bulkregister to opensrs > | > | > | > OPENSRS is one of those that make it easy to steal a domain, > | > because they require absolutely NO verification of identity when > | > the registrant name is changed. ANyone who can get a name > | > transfered to OPENSRS can edit the registrant name to any one > | > they choose. > | > | -- > | The nice thing about standards, there is enough for everyone to have their own. > | > | > -- The nice thing about standards, there is enough for everyone to have their own.
