IP: NSI eliminates all security on domain registrations

[Dave Farber <farber () cis upenn edu>]

> To: farber () cis upenn edu
> Subject: NSI eliminates all security on domain registrations
> From: "Perry E. Metzger" <perry () piermont com>
> Date: 03 Jul 2000 09:46:14 -0400
>
>
> For IP, originally sent to my cryptography list...
>
> --
> Perry E. Metzger                perry () piermont com
> --
> "Ask not what your country can force other people to do for you..."
> ------- Start of forwarded message -------
> Date: Sun, 2 Jul 2000 19:36:16 -0700
> To: Openpgp <openpgp () openpgp net>
> From: Dave Del Torto <ddt () openpgp net>
> Subject: Re: Has RSADSI Lost their mind?
> Cc: Lucky Green <shamrock () cypherpunks to>, ukcrypto () maillist ox ac uk,
>         cypherpunks () openpgp net, cryptography () c2 net,
>         CYBERIA-L () LISTSERV AOL COM, linux-ipsec () clinet fi
> Content-Type: text/plain; charset="us-ascii" ; format="flowed"
>
> An amusing if merely semi-related followup...
>
> Network Solutions, Inc. (recently acquired by VeriSign for umpteen
> hundreds of Billions of $, and a now major user of RSADSI's "*-SAFE"
> toolkits... hmmm...) announced on 29 June that (as of 07 July, plenty
> of lead time for all you multidomain admins, right?) they're removing
> virtually all handle and domain security, because: "Security for our
> customers has always been a top priority at Network Solutions."
>
> Uh... come again with that undoubleplusgoodbarspeak, please?
>
> Now, if you can wipe the tears of joy from your eyes, you'll see this
> means that the two "secure methods" for domain management they've
> ostensibly been offering for years, i.e. "CRYPT-PW" (which was always
> suspect anyway: they left some chars of your hashed "password" in the
> clear to make ::mumble-mumble:: easier for their Customer Service
> people), and "PGP" (which never really worked anyway as you know if
> you're one of the ~6,000 cypherpunks who tried to log a key and use
> it), are going to be ratcheted down to "MAIL-FROM".
>
> Yes, that's right, Ladies & Germs: MAIL-FROM! And yes, this applies
> to all domains they have in their registry, because it's the new
> "enhancement" to their Guardian service. If you're got a minim of
> grey matter left in your cranium, you can probably guess that this
> means they're soon going to offer another "enhancement" (this one you
> pay for) involving X.509v3 keys...
>
> But! Don't despair yet! Because meanwhile (...tan-tara-taaaah!):
>
> > > ..."NSI is enhancing "Mail-From" with an additional e-mail security
> > > check. Specifically, NSI will e-mail a validation request to the
> > > specific administrative and technical contact listed for a domain
> > > name before making any modification to that domain name."  ...
>
> Yep, you've got the idea now: if you want to hijack a domain from an
> NSI customer, boy, you'd best be some kinda ubergeek, 'cause you'll
> be forced to spoof the email _twice_. Ouch! They're really puttin'
> the screws on them nasty "hacker" types, huh? Whew!
>
> If you were confused by this (and when was a message from NSI ever
> not confusing?), naturally you'll go to their website to learn more:
>
> > > To make modifications easier, we provided easy-to-follow
> > > instructions on our web site at:
> > > <http://info.networksolutions.com/go/h/security/guardian/>
>
> ...where, among the gobbeldygook, in FAQ#4 "What is PGP?", they have
> a moribund hyperlink in the explanation to the "PGP website."
> Ba-dum-dum, plink! OK, so this doesn't really matter _now_, and maybe
> you had to be there back in the day to really appreciate the humor of
> this, but after 4+ years of trying to get N$I to make the PGP option
> work, _I_ found this kinda funny myself...
>
>     dave
>
> PS: <http://www.opensrs.org> ...'nuff said.
>
>
> ___________________________________________________________________________
> "And now: we'll be back after a few subliminal messages from our sponsors."
>
>
> ------- End of forwarded message -------