North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: NSI's registrar db hacked
On Thu, 13 Apr 2000, Rodney Joffe wrote: > firstname.lastname@example.org wrote: > > > Nothing new here. Network Solutions has known about the MAIL-FROM problem > > for years, yet they refuse to do anything about it. > > Doh. Didn't realize it was the same old thing. This seems like such a > trivial problem to solve... > > a) force guardian (crypt-pw seems the most reliable) on all new domain > registrations > b) with NSI's next spam to their customer database, lead people forcibly > to guardian (crypt-pw again) > c) use a mail system that scales, so that 1 week delays don't happen. I don't understand where the problem is with authenticating based on email address, if they simply did it right. Get a request from address X. Verify that address X should be allowed to change the record. Send an email back to X, requiring that they reply with a particular subject, or to a particular address, or go to a particular URL, etc. where "particular" is not guessable. You know, like mailing lists have been doing for years. It isn't that complicated. For people that have automated systems that send in forms, they can either specify a crypt-pw or use PGP and NSI could then not require the email validation or they could just have to modify their system to deal with it being done in a secure way. This does not require every record to be updated with an authentication scheme and is something that is more reasonable than PGP (is that working at NSI this week?) or, arguably, crypt-pw to use as a default. But hey, why should NSI care? This way they can get people to shell out $$$ after their domain is stolen to get it back ASAP.