Hello, --- Josh Levine <[EMAIL PROTECTED]> wrote: > Is it worrisome to anyone else that there's now a page that you can > request to have any reseller's password emailed in plain text to the > emergency contact address with no verification required whatsoever? > > I contacted OpenSRS support to ask them to disable this "feature" > from > my account, and I received this response:
I've been concerned about this issue too. In the rush to add "features", security has been weakened. Ideally, folks should be able to opt out of this. I know I would be first to disable this. I'd only want a new password sent if there was *stronger* authentication, e.g. via telephone call to the contact (OpenSRS calls the number on record, to verify the request), or fax. E-mail has the security of a postcard. Does one want one's passwords sent via postcards? Other features to enhance security would include: 1) Records of IP addresses of past logins (we only see the prior IP -- a history of all accesses might be better). 2) Stronger authentication of outgoing transfers, on opt-in basis (e.g. telephone calls, or something). 3) Logins with certificates or other identifiers (to make it harder than just breaking a single password). 2-factor security, like RSA SecurID, perhaps. 4) Personal account managers (e.g. like NameEngine does, or Verisign Digital Brand Management, etc.). Someone who'll monitor an account and phone, if there's any suspicious activity. e.g. transferring out of a very high value domain would be an "exceptional" event. Perhaps opt-in to extra fees for an "exceptional event", for greater security. E.g. I own Seeds.com and some other high value domains....only way they're leaving OpenSRS is if there's a big domain name sale...otherwise, they're at OpenSRS forever. I'd be willing to pay more...I'm sure some of the corporations who are managing name portfolios at OpenSRS (e.g. EDS, GM, various banks, Oracle) would want utmost security too. THey'd likely want to see human intervention and confirmation if there was a transfer of GM.com, for instance. Sincerely, George Kirikos http://www.kirikos.com/
