Hi Kurt! The Switch staff reported to me, that an approval is needed. I was able to confirm that with the mails i've got here. Switch is reading in here, so there will be an official answer soon, i think.
Best wishes, Matthias ----- Original Message ----- From: "Kurt A. Schumacher" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 12, 2003 7:07 PM Subject: [swinog] RE: [swinog] Re: [swinog] Security � la SWITCH - nic.ch Matthias Philipp If the mail with the url _is_ the one from a domain holder there is never ever an additional approval... Matter of fact any nic.ch user with such an URL needs never ever his password again! Sending a URL allowing just the payment option - without kind of a very-unsecure-single-sign-on functionality - is a good service for us customers. Clear text is not a problem - if is willing to pay for your or my domains - just say yes. But if the same user can highjack or delete your domains just by using the URL in question by following the options link - just a bug? Sorry, I have to insist: This is a MAJOR SECURITY problem and must be solved by SWITCH. The promises from their legal and compliance "we never had a problem" and "if something goes wrong you can call the helpdesk" cant be considered a solution, eh? No tricks, no double floor. -Kurt. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthias Hertzog Sent: Wednesday, November 12, 2003 6:27 PM To: [EMAIL PROTECTED] Subject: [swinog] Re: [swinog] Security � la SWITCH - nic.ch Hi! AFAIK, the requests placed through that "trick" have to be approved by the domain holder. No changes will be made directly. I fully agree, this is a bug, but it's not a real security hole / problem. Matthias ----- Original Message ----- From: "Philipp Morger" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 12, 2003 6:21 PM Subject: Re: [swinog] Security � la SWITCH - nic.ch On Wed, Nov 12, 2003 at 10:04:38 +0100, Kurt A. Schumacher wrote: > I consider this a MAJOR security breach. This has been repeatedly > reported to nic.ch - including their legal and compliance department > (SWITCH security > responsible) - over the last 12 months: Well, I would call it "fahrl�ssig" - with this information sent via cleartext. Might be worth to submit to the "Datenschutzbeauftragter" (I wonder, why it isn't called "Datenschutzdepartement" - there can't be so few issues which just requires just one person) What's the legit status anyway? I mean, there are folks out there that send confidential data over mobile phones, fax or regular phone... any of these could get eavesdroped... so does you daily mail. > Official answer: "We can not understand your problem." Not even a > sorry, or > a thank you. They promised looking for it - but nothing changed again. If I'm not wrong, you can send online a request to get your access information - so the payment-mail sent with the link does not provide more information than the mail you (or who ever) would get with this request... > SWITCH - nic.ch - a ignorant and stupid organization.Well, that's > almost anyone that sends access information in cleartext mails... the problem is, that there's almost no security mechanism in place - I doubt that if switch would provide (and please do) a way to submit a gpg-key to get emails encrypted that it would be used by a wide userbase anyway... Don't blame switch, it's a software problem >;) Regards Philipp -- _;\_ Philipp Morger / PHM2-RIPE System & Network Administrator /_. \ Dolphins Network Systems AG Phone +41-1-847'45'45 |/ -\ .) Email: <[EMAIL PROTECTED]> -'^`- \; Don't send mail to: [EMAIL PROTECTED] ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/ ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/ ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/ ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
