All,Hello
Owners of SWITCH nic.ch registered are receiving these days their annual "Payment information for domain names" ("Zahlungsinformation f�r Domain-Namen") again.
As a courtesy to the user there is a link supplied to allow a direct payment
by credit card, e.g.
https://nic.switch.ch/reg/epay.cfm?userid=123456&key=m3Ydfdrcf4mm3uEYx
(hehe, modified...) in a clear text message. I see this is a very nice
service - and I don't hesitate if anyone else grabs the link from the mail
and pays the invoice.
But the downside: At the end of the page there is a link to "Options" - directly pointing to the page where new names can be registered, domains to be transferred to other customers or change the password - WITHOUT ever asking the user for his password more or less ensuring he is the appropriate person for such tasks.
I consider this a MAJOR security breach. This has been repeatedly reported to nic.ch - including their legal and compliance department (SWITCH security responsible) - over the last 12 months:
Official answer: "We can not understand your problem." Not even a sorry, or a thank you. They promised looking for it - but nothing changed again.
SWITCH - nic.ch - a ignorant and stupid organization.
Beside flames: What are your thoughts? Something for a follow-up by our new friends from Berne?
-Kurt.
PS. Spying nic.ch passwords is not required at all ;-))
---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
I've recently subscribed to the swinog mailing list which is why I have been following this thread. Here's SWITCH's official answer to your concern:
The registration system of SWITCH has been purposely designed to allow anyone to submit a request for anyone.
However, this does not mean that SWITCH will execute modifications or deletions without proof of eligibility.
Certain requests require a written approval of the holder and will never be executed without such an approval.
By clicking on the URL for electronic payment, the user is not automatically logged in and he does not have any more privileges as he would have by entering the page https://nic.switch.ch/reg/optionsbasic.cfm via our website.
Regards.
-- Marco D'Alessandro * Marketing & PR SWITCH * The Swiss Education & Research Network PO Box, CH-8021 Zurich * Tel. +41 1 253 98 66 Fax +41 1 268 15 68 E-Mail: [EMAIL PROTECTED] * http://www.switch.ch
---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
