Hello, --- [EMAIL PROTECTED] wrote: > Look through the RWI code - that's where the hole(s) > are: > 1. Customer passwords are stored in a form which allows to > extraction back into plaintext, > 2. the second hole is that the RWI currently doesn't allow > for encryption of the email(s) being sent out. Not even the > one that contains confidential information.
Yes, #1 is bad. Only a secure hash of the password should be stored, not the password itself. Then, since the password isn't stored, all one would be allowed to do is a password reset, on request (see below). It would likely be better to allow this password reset to be over a secure method, such as a fax (i.e. allow the reseller to set this in the RWI, in advance, and be able to lock it -- how often does one's fax info change?; if the info changes, allow for a human verification system, perhaps a phone call to the reseller, or something, to ensure they really want to change things. Using off-the-shelf fax server systems, e.g.: http://www.actfax.com/ (under $1K) http://directory.google.com/Top/Computers/Data_Communications/Unified_Messaging/Fax_Server/?tc=1 (others) (one would need fax board hardware, too, and a spare phone line or two) one can likely automate it fairly inexpensively (i.e. turn a standard electronic document into a fax, and send the fax instead of an email). Would allow for value-added services, too, such as "high security" on transfers. e.g. send out by fax a transfer verification code, on outgoing transfers. Some of us would be willing to pay a premium to protect their top domains by this extra layer of security, that isn't easy for hackers to attack (i.e. they'd need to be able to intercept a fax, which is a tougher thing to do compared with sniffing a plain text password in an email). Would folks pay an extra $2/year for N domains, or an extra $100/yr flat rate, to ensure that you (either registrant or reseller, or both) get a fax that you must use to authenticate outgoing transfers? I know some big organizations are so careful that an outside law firm authenticates all their DNS changes, so I'm not the most paranoid one out there. ;) Sincerely, George Kirikos http://www.kirikos.com/
