At 2/25/03 4:56 PM, George Kirikos wrote: >Just as a simple analysis, I'd say at present, to "steal" a domain name >at OpenSRS that is protected by "best" practises requires the >following: > >A) knowledge of reseller's username/password (to unlock domains), > >AND > >B) either (1) username/password of individual domain name, to change >the admin email address, OR (2) hijacking of the existing admin email >address (to authenticate transfers directly)
Actually, all you need is B), since it's an OpenSRS requirement that end-users be given the power to unlock their domains using the reseller's own manage.cgi or equivalent. >This is a major REDUCTION in security Keep in mind that many resellers, especially larger ones, have local copies of all the usernames and passwords anyway, so if you could get into a reseller's own systems, you would already have everything you need. I suspect if someone stole a reseller's password, they'd probably be doing it not for the purpose of stealing existing domains, but for registering new domains for free. Stolen domains can always be put back to the rightful owner, eventually, but I doubt a reseller who is careless with his password would get his money back for the domains the thief registered. Anyway, the tradeoffs seem worth it to me, and I'm glad OpenSRS is implementing this. Encouraging resellers to compete by offering excellent individual service (Hi Elliot!) without giving resellers the power to actually do things like update nameservers is silly. (And it's not okay to just ask the customer for the password; users should be trained to never give their password to people asking in e-mail messages -- most reputable companies go out of their way to say "we will never ask you for your password", and it looks really tacky to have to do so.) As I said, many resellers simply store the username and password combo anyway to work around this, so all that the OpenSRS policy has really done is punish those resellers who haven't bothered to modify the scripts to store a local copy. -- Robert L Mathews, Tiger Technologies "A professional in an ape mask is still a professional." -Marge Simpson
