The mechanism will only email the customer if they're using your manage interface. So if you have it disabled, they won't be able to get that information. It only works with domains that you sponsor.
Charles Daminato OpenSRS Product Manager Tucows Inc. - [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Dave Wood > Sent: January 22, 2002 9:19 AM > To: [EMAIL PROTECTED] > Subject: Re: Some improvements we would like feedback on.... > > > > I would have expected that in order for the username/password to be mailed > out through the interface, it would have had to login to OpenSRS using the > RSP username/key, and if the RSP had that option disabled in his/her > interface, it would effectively be globally disabled. It seems to me like > it's a major security issue if anyone can have anyone's password mailed to > them. Even if it's used just to harass someone else's clients. So I for > one would like to see this fixed. > > Dave > > On Tue, 22 Jan 2002, Scott Allan wrote: > > > I guess my response would be that should someone's email account become > > compromised (or data sniffed), the ability to do all sorts of damage has > > always been there. I am not sure how to design against this - allowing > > registrants to have their U:P combo sent to them is a really useful > > feature, and is pretty standard. I can't think of a way that improves > > security without seriously compromising usability... PGP is nowhere near > > widely enough deployed - I guess we could let resellers globally disable > > this for their names, but that would likely not be an option that many > > would choose, therefore not greatly improving security (it > would of course > > allow those who desire greater security to have it). > > > > My understanding (perhaps wrong) is that plain text data (password) > > sniffing exploits are pretty rare - anyone violently disagree? It has > > always struck me as something that it is possible, but not > generally worth > > it. In this case, not only would you have to be able to > guarantee you could > > get all the mail sniffed, but also be familiar with the OSRS > manage system. > >
