Keith,
On Tue, Feb 26, 2019 at 6:00 AM Keith Medcalf wrote:
> >https://twofactorauth.org/#domains gives a good view of the domain
> >management landscape regarding 2FA.
>
> Seems to require the unfettered execution of third-party code ...
>
> Are you offering an indemnity in case that code is
>https://twofactorauth.org/#domains gives a good view of the domain
>management landscape regarding 2FA.
Seems to require the unfettered execution of third-party code ...
Are you offering an indemnity in case that code is malicious? What are the
terms and the amount of the indemnity?
---
On Tue, Feb 26, 2019 at 12:14 AM John Levine wrote:
> In article <24679.1551146...@turing-police.cc.vt.edu> you write:
> >So what registries/registrars are supporting 2FA that's better than SMS?
>
> Opensrs does TOTP. It's certainly not bulletproof, but it's tied to
> your actual phone rather
In article <24679.1551146...@turing-police.cc.vt.edu> you write:
>So what registries/registrars are supporting 2FA that's better than SMS?
Opensrs does TOTP. It's certainly not bulletproof, but it's tied to
your actual phone rather than the phone number. (We careful folk put
our TOTP keys on a
On Mon, Feb 25, 2019 at 8:02 PM wrote:
> So what registries/registrars are supporting 2FA that's better than SMS?
> Or since 98% of domain names are Bait type, is nobody bothering
> to support something for the 2% that could use it?
If Joe's Bait and Tackle buys from Namecheap, they can utilize
Markmonitor runs a registrar popular with fortune 500s that implements
additional security steps, and talking to a clued in live human in the loop
to modify anything in your domain record.
On Mon, Feb 25, 2019, 6:03 PM wrote:
> On Mon, 25 Feb 2019 18:23:44 -0700, Paul Ebersman said:
>
> >
On Mon, 25 Feb 2019 18:23:44 -0700, Paul Ebersman said:
> Agreed. But this also gets down to the risk vs hassle tradeoff. Joe's
> Bait & Tackle Shop probably isn't getting attacked by nation states who
> can hack SS7, so SMS text might be good enough. And certainly better
> than just an 8 char
ebersman> Yup. This is a good example of what I'm advocating. Just
ebersman> saying "use 2FA" or "use DNSSEC" or "have a CAA" isn't
ebersman> sufficient detail to make informed decisions of
ebersman> risk/effort/reward tradeoffs. Simplistic suggestions without
ebersman> details or context isn't
Speaking of registrars vs registries - I've noticed some companies have
become their own registrar to improve their domain security (Cloudflare,
Google, etc.). Is that a feasible path for smaller organizations? How much
risk does that mitigate? It seems like it gives the organization control
over
On Mon, 25 Feb 2019 12:14:59 -0700, Paul Ebersman said:
> ekuhnke> One thing to consider with authentication for domain registrar
> ekuhnke> accounts:
>
> ekuhnke> DO NOT USE 2FA VIA SMS.
>
> Yup. This is a good example of what I'm advocating. Just saying "use
> 2FA" or "use DNSSEC" or "have a
ekuhnke> One thing to consider with authentication for domain registrar
ekuhnke> accounts:
ekuhnke> DO NOT USE 2FA VIA SMS.
Yup. This is a good example of what I'm advocating. Just saying "use
2FA" or "use DNSSEC" or "have a CAA" isn't sufficient detail to make
informed decisions of
ebersman> If someone owns your registry account, you're screwed. And
ebersman> right now, it tends to be the most neglected part of the
ebersman> entire zone ownership world. Let's use this opportunity to
ebersman> help folks lock down their accounts, not muddying the waters
ebersman> with dubious
One thing to consider with authentication for domain registrar accounts:
DO NOT USE 2FA VIA SMS.
This is a known attack vector that's been used by SS7 hijacking techniques
for several well documented thefts of cryptocurrency, from people who were
known to be holding large amounts of (bitcoin,
> On Feb 25, 2019, at 09:25 , Paul Ebersman wrote:
>
> ebersman> If someone owns your registry account, you're screwed. And
> ebersman> right now, it tends to be the most neglected part of the
> ebersman> entire zone ownership world. Let's use this opportunity to
> ebersman> help folks lock
Hi Paul,
> Reread this and felt I should clarify that I realize that John and Doug
> are not the ones saying DNSSEC is useless. I just hate to see the knee
> jerk "oh, see, DNSSEC didn't save the day so it's obviously
> useless". Let's give the world a better explanation.
Security is only as
ebersman> If someone owns your registry account, you're screwed. And
ebersman> right now, it tends to be the most neglected part of the
ebersman> entire zone ownership world. Let's use this opportunity to
ebersman> help folks lock down their accounts, not muddying the waters
ebersman> with dubious
dougm> You are right, if you can compromise a registrar that permits
dougm> DNSSEC to be disabled (without notification/confirmation to POCs
dougm> etc), then you only have a limited period (max of DS TTL) of
dougm> protection for those resolvers that have already cached the DS.
johnl> As far as
On 25/02/2019 11:37, Ask Bjørn Hansen wrote:
On Feb 24, 2019, at 22:03, Hank Nussbacher wrote:
Did you have a CAA record defined and if not, why not?
If the attacker got a CA to issue the cert because they changed the DNS server
to be their own, a CAA record wouldn’t have helped (or at
Mark Andrews wrote:
>
> An organisation can also deploy DLV for their own zones using their own
> registry. While the current code DLV validating code is only invoked
> when the response validates as insecure, there is nothing preventing a
> policy which says that DLV trumps or must also
> On Feb 24, 2019, at 22:03, Hank Nussbacher wrote:
>
> Did you have a CAA record defined and if not, why not?
If the attacker got a CA to issue the cert because they changed the DNS server
to be their own, a CAA record wouldn’t have helped (or at least been even
easier to thwart than
Subject: Re: A Deep Dive on the Recent Widespread DNS Hijacking Date: Mon, Feb
25, 2019 at 05:04:39PM +1100 Quoting Mark Andrews (ma...@isc.org):
> I would also note that a organisation can deploy RFC 5011 for their own
> zones and have their own equipment use DNSKEYs managed
> using RFC 5011
21 matches
Mail list logo
