I would have expected that in order for the username/password to be mailed out through the interface, it would have had to login to OpenSRS using the RSP username/key, and if the RSP had that option disabled in his/her interface, it would effectively be globally disabled. It seems to me like it's a major security issue if anyone can have anyone's password mailed to them. Even if it's used just to harass someone else's clients. So I for one would like to see this fixed.
Dave On Tue, 22 Jan 2002, Scott Allan wrote: > I guess my response would be that should someone's email account become > compromised (or data sniffed), the ability to do all sorts of damage has > always been there. I am not sure how to design against this - allowing > registrants to have their U:P combo sent to them is a really useful > feature, and is pretty standard. I can't think of a way that improves > security without seriously compromising usability... PGP is nowhere near > widely enough deployed - I guess we could let resellers globally disable > this for their names, but that would likely not be an option that many > would choose, therefore not greatly improving security (it would of course > allow those who desire greater security to have it). > > My understanding (perhaps wrong) is that plain text data (password) > sniffing exploits are pretty rare - anyone violently disagree? It has > always struck me as something that it is possible, but not generally worth > it. In this case, not only would you have to be able to guarantee you could > get all the mail sniffed, but also be familiar with the OSRS manage system.
