Interesting People mailing list archives
IP: NSI eliminates all security on domain registrations
From: Dave Farber <farber () cis upenn edu>
Date: Mon, 03 Jul 2000 14:36:35 -0400
To: farber () cis upenn edu Subject: NSI eliminates all security on domain registrations From: "Perry E. Metzger" <perry () piermont com> Date: 03 Jul 2000 09:46:14 -0400 For IP, originally sent to my cryptography list... -- Perry E. Metzger perry () piermont com -- "Ask not what your country can force other people to do for you..." ------- Start of forwarded message ------- Date: Sun, 2 Jul 2000 19:36:16 -0700 To: Openpgp <openpgp () openpgp net> From: Dave Del Torto <ddt () openpgp net> Subject: Re: Has RSADSI Lost their mind? Cc: Lucky Green <shamrock () cypherpunks to>, ukcrypto () maillist ox ac uk, cypherpunks () openpgp net, cryptography () c2 net, CYBERIA-L () LISTSERV AOL COM, linux-ipsec () clinet fi Content-Type: text/plain; charset="us-ascii" ; format="flowed" An amusing if merely semi-related followup... Network Solutions, Inc. (recently acquired by VeriSign for umpteen hundreds of Billions of $, and a now major user of RSADSI's "*-SAFE" toolkits... hmmm...) announced on 29 June that (as of 07 July, plenty of lead time for all you multidomain admins, right?) they're removing virtually all handle and domain security, because: "Security for our customers has always been a top priority at Network Solutions." Uh... come again with that undoubleplusgoodbarspeak, please? Now, if you can wipe the tears of joy from your eyes, you'll see this means that the two "secure methods" for domain management they've ostensibly been offering for years, i.e. "CRYPT-PW" (which was always suspect anyway: they left some chars of your hashed "password" in the clear to make ::mumble-mumble:: easier for their Customer Service people), and "PGP" (which never really worked anyway as you know if you're one of the ~6,000 cypherpunks who tried to log a key and use it), are going to be ratcheted down to "MAIL-FROM". Yes, that's right, Ladies & Germs: MAIL-FROM! And yes, this applies to all domains they have in their registry, because it's the new "enhancement" to their Guardian service. If you're got a minim of grey matter left in your cranium, you can probably guess that this means they're soon going to offer another "enhancement" (this one you pay for) involving X.509v3 keys... But! Don't despair yet! Because meanwhile (...tan-tara-taaaah!):..."NSI is enhancing "Mail-From" with an additional e-mail security check. Specifically, NSI will e-mail a validation request to the specific administrative and technical contact listed for a domain name before making any modification to that domain name." ...Yep, you've got the idea now: if you want to hijack a domain from an NSI customer, boy, you'd best be some kinda ubergeek, 'cause you'll be forced to spoof the email _twice_. Ouch! They're really puttin' the screws on them nasty "hacker" types, huh? Whew! If you were confused by this (and when was a message from NSI ever not confusing?), naturally you'll go to their website to learn more:To make modifications easier, we provided easy-to-follow instructions on our web site at: <http://info.networksolutions.com/go/h/security/guardian/>...where, among the gobbeldygook, in FAQ#4 "What is PGP?", they have a moribund hyperlink in the explanation to the "PGP website." Ba-dum-dum, plink! OK, so this doesn't really matter _now_, and maybe you had to be there back in the day to really appreciate the humor of this, but after 4+ years of trying to get N$I to make the PGP option work, _I_ found this kinda funny myself... dave PS: <http://www.opensrs.org> ...'nuff said. ___________________________________________________________________________ "And now: we'll be back after a few subliminal messages from our sponsors." ------- End of forwarded message -------
Current thread:
- IP: NSI eliminates all security on domain registrations Dave Farber (Jul 03)