Hi All

1. Does your registrar REQUIRE Email Validation of changes made to key things like Login Password, Contact Info, or DNS Info?

2. What if a hacker were to get into your account(s) and change the login password?

For example, at this time, some registrars, like GoDaddy, do NOT require email validation of login password changes...................Huh?

Other registrars, like NameBargain (based on Register.com), DO require email validation before effecting the changes.

ALL REGISTRARS SHOULD REQUIRE EMAIL VALIDATION OF ALL CRITICAL CHANGES..........PERIOD!!!!!!

1. Login Password
2. Contact Info
3. DNS Info

Also, you should be allowed more than 8 chars for the password (some registrars have this restriction). Like, maybe up to 12 or more chars should be the standard.

Any thoughts, suggestions?

Thanks.

P.S. - No, I don't own NameBargain........wish I did, though...

------------------------------------------

My registar requires me to send or fax a letter-head cover note to confirm proof of identiy before any big changes.

Saying that though, I am my own registar. Or at least we are now a Nomninet tag holder so we can register and change our information with a PGP signed email.

Cheers

- wil

Good catch, DogTags.

I never thought about that...I'm comfortable using NetworkSolutions account management tools. They at least send confirmation emails of changes made to my account, but no email validation. I guess the assumption that some registrars take is that since they are using Secure Socket Layers (SSL) with 128+ bit encyption that their systems are "Secure" enough. But you raise some really good points about people stealing other people's access information, which can rave havic on people's websites, like if they have website forwarding services, a hacker could go in and redirect all your websites to some porn site. Not good at all.

I do remember reading an article at Yahoo! News about international standards being applied to Internet domain registrars, but the problem is lack of a central enforcing body to oversee all the registrars.
========================================
Buh Bye!

Cheers,
Me

Would it be worth starting another thread to discuss the security of specific registrars so that we can have a sort of "buyer's guide" of registrars based on security considerations?

Registrar A
1. Email Validation of Password Changes............0
2. Email Validation of Contact Changes..............0
3. Email Validation of DNS Changes...................0
4. Support Phone Number.................................1
(Other factors)

Registrar B
1. Email Validation of Password Changes............1
2. Email Validation of Contact Changes..............1
3. Email Validation of DNS Changes...................1
4. Support Phone Number.................................1
(Other factors)

I think it would be good to start a discussion about the whole domain security issue in general.

What if there is someone out there with a super computer that is running through gazillions of possibilities for usernames/passwords trying to hack in?

What's to stop them?

In other words, how can we set up bulletproof security for the domains?

Maybe we should consider Wil's registrar's requirement that a fax be sent. On top of that, perhaps the Sending Fax number would have to be on record and only a fax sent from that fax number would be accepted.

Hey, Wil.....who's your registrar?

Thanks.

------------------------------------------

I'm trying to think of what the ideal registrar would offer for security.

I like the possibility of requiring FAX validation, especially for password changes.

You could even require that the fax come from a specific telephone number, but what if there are serious technical reasons for that number being out of service - like in a war area?

I have already mentioned the following factors to help provide security and access to support if there are problems:

1. Email Validation of Password Changes

2. Email Validation of Contact Changes

3. Email Validation of DNS Changes

4. Support Phone Number


Some additional security factors might be:

5. Modify User Name

6. FAX validation required

7. FAX validation from specified tel. number

8. Range of available characters: a-z, A-Z, 0-9, and a whole bunch of symbols or other chars

9. Number of characters: 12-16 in username and in password

10. Telephone PIN validation: perhaps a change submitted through the web admin could be followed up with a phone call with a special PIN. This type of thing might be better and easier than the FAX follow up. In fact, this could be really cool. You could create the change request through the web admin and be issued a Request Number. Then, you call a special phone number and enter your Request Number. Then, the voice thingy accepts your Request Number and says, "Okay, Fred, fork over your PIN or your Request is dead." At this point, you would punch in your special PIN and then your account change would be enabled.

The trick would be how to create that PIN without going through the web, like when first opening an account. Okay, I think I have it.....Let's say that you want to open an account at Sam's Registrar Service. Okay, now you create a user/pass and do all the usual stuff. At this point, Sam's system says, "All right, we have your info. Now, you have to call this number xxx-xxx-xxxx to get your PIN. When you call that number, please enter the account number that was generated here (show account number)"

This would mean that the PIN is NEVER displayed on the web, and it would mean that the entire PIN process - from creation to all of its uses - would be totally automated. Modifying the PIN would have to be done over the phone, too, but that could be automatic, as well.

Yep, that would be the way to go.

Let's call it a "Domain PIN"

What do you think?

Thanks.

------------------------------------------

Basically a combination of web to Interactive Voice Response (IVR) system. I am actually working on a web-based system to work with an IVR system. It's basically an issue of using a centralized database between the IVR and website, and setting permissions for what data can be inputted/updated through either channel.
========================================
Buh Bye!

Cheers,
Me

Yep....bulls-eye

------------------------------------------