Well, as promised I apologize for missing the notice. As for due diligence, I would need a way to see what other domain names are in the same profile so I can check for different owners before sending the password. That would be a nice feature anyway - to be able to search domain names by profile (enter one domain name, see what others are in the same profile). Or maybe not. I would want it restricted to the reseller of record for the domain name, but one profile can contain domain names registered by multiple resellers. Oh hell, the security problem is worse than I first thought - I can now think of a "rarer" scenario involving multiple owners, multiple resellers, and one profile.
I had one case before this change where a web design client was registering domain names for his customers in their own names, with their own addresses for admin contact, but keeping all the domain names in one profile with his username and password so he could manage them. One of the owners asked me for the password, and I sent it as required. Luckily I also contacted the client. He was mad at me for sending the password to the owner of record. I told him the admin contact always has the right to request the password, and to never combine domain names with different admin contacts into the same profile. ----- Original Message ----- From: "Charles Daminato" <[EMAIL PROTECTED]> To: "Chuck Hatcher" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, December 13, 2002 10:21 AM Subject: RE: Sending login information to Owner contact... > Hey Chuck :) > > This is an interesting scenario, but likely rare. The reseller should > perform some form of due diligence before sending any access credentials > (and only you can "click" that link, or allow it to be clicked through the > API - and even then, only for your domains). > > This was announced, and there are also release notes on the issue. It may > not have been as clear as it could have been (apologies) > > <snip> > **Registrant as well as Admin Contact can be e-mailed the > user/name and password. At the Reseller's discretion, the > Registrant as well as the Admin Contact for a domain name can be > e-mailed the user name and password. Resellers may enable this > functionality via the RWI or an API call. > > and > > http://releasenotes.resellers.tucows.com/mrDec02 > </snip> > > Cheers :) > > Charles Daminato > OpenSRS Product Manager > Tucows Inc. - [EMAIL PROTECTED] > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Chuck Hatcher > > Sent: December 13, 2002 10:12 AM > > To: [EMAIL PROTECTED] > > Subject: Sending login information to Owner contact... > > > > > > Here's another change that took me by surprise: > > > > In the RWI we now have the option to send the username/password > > to the owner > > contact. > > > > I don't disagree that the owner contact has the right to modify the > > registration record. After all they are the owner. But this change could > > have unintended security consequences. > > > > Assume, for example, that party A is the admin contact for, but not the > > reseller for, domain names owned by parties B and C. For easier > > management, > > party A has put the domain names in the same profile. In the > > past this was > > somewhat safe because only the admin contact could obtain the username and > > password. Now, assume party B contacts the reseller listed in > > the whois to > > obtain the username and password for his domain, and the reseller sends it > > to him. He logs in, and now can modify party C's domain name. > > > > This scenario could easily be prevented if party A knew it wasn't safe to > > combine domain names of different owners into the same profile. But the > > fact that this is a new change to the way things have been done > > in the past > > means party A may never find out about it. > > > > There are two points to my post: > > > > 1. Resellers, be aware of the change and take appropriate precautions, and > > > > 2. Where are all these unannounced changes coming from? Let us know when > > you change something, okay? (I'll apologize if you did and I just missed > > it.) > > > >
