Huh the problem is not so much with NSI but with the owners.
Personally I think the owner is responsible if he set up MAIL-FROM
authentication because he is lazy to read one or two pages with
explanations.
And the problem is even bigger - personally I found absolutely
different way of vulnerability, and after I sent an e-mail
to the owner of a domain name that his name could be hijacked
very easy - I didn't get any response - so the owners also don't care.
Well I hope others will not find the hole I am talking about,
just because the vulnerable service provider couldn't fix it.
That's why I am laughing every time such thing happens and
how people then give interviews, etc. about how the things
are not secure - but the owners should care more for the
stuff they "own".
(BTW I had ICQ UIN 53000000 and it was hijacked, too,
and it was my fault - and the fault is that I am not familiar
with the Windows OS. When a domain name is hijacked
in most cases it is the owner's fault, too. And UIN 5300000
is for sale now and I can't do anything because ICQ's
responsiveness is worst that that of NSI :)
Regards,
Doytchin Spiridonov.
Swerve wrote:
> Yes, Bill, don't do business with NSI.
>
> However, the systems in place at other registrars, including opensrs.org,
> should have increased levels of security, for domains that are extremely
> important to people.
>
> Josh M
>
> > From: bill@daze.net
> > Date: Thu, 1 Jun 2000 12:05:00 -0700 (PDT)
> > To: Swerve <shwa@swerve.com>
> > Cc: john@macleodweb.com, discuss-list@opensrs.org
> > Subject: Re: "Domain Names Hijacked" news article
> >
> > FYI, it's not a problem with OpenSRS.
> >
> > It's just a known security hole in Network Solutions regsitrar's e-mail
> > modify template when using "mail-from" authentication.
> >
> > On Thu, 1 Jun 2000, Swerve wrote:
> >
> >> Imo, responsive registrars should offer multiple levels of security to
> >> prevent this. Including digital password protection, +secure email
> >> confirmation,
> >> and perhaps extended security involving photo i.d.'s and/ or other non
> >> digital methods for domain names that require IronClad security. Names that
> >> might require this, are names that the owner themselves would almost never
> >> transfer ownership of, and if ownership transfer was required, the owner
> >> wouldn't mind jumping thru hoops to allow for a transfer. I would be
> >> content to pay a small fee for each domain that had the highest level of
> >> security.
> >>
> >> Imo, this is a very serious issue that needs to be dealt with asap.
> >
> > Just don't do business with NSI Regsitrar.
> >
> >> regards,
> >>
> >> Josh M
> >
> >
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:37 EDT