IP: NSI eliminates all security on domain registrations

[Dave Farber <farber@cis.upenn.edu>]

>To: farber@cis.upenn.edu
>Subject: NSI eliminates all security on domain registrations
>From: "Perry E. Metzger" <perry@piermont.com>
>Date: 03 Jul 2000 09:46:14 -0400
>
>
>For IP, originally sent to my cryptography list...
>
>--
>Perry E. Metzger                perry@piermont.com
>--
>"Ask not what your country can force other people to do for you..."
>------- Start of forwarded message -------
>Date: Sun, 2 Jul 2000 19:36:16 -0700
>To: Openpgp <openpgp@openpgp.net>
>From: Dave Del Torto <ddt@openpgp.net>
>Subject: Re: Has RSADSI Lost their mind?
>Cc: Lucky Green <shamrock@cypherpunks.to>, ukcrypto@maillist.ox.ac.uk,
>         cypherpunks@openpgp.net, cryptography@c2.net,
>         CYBERIA-L@LISTSERV.AOL.COM, linux-ipsec@clinet.fi
>Content-Type: text/plain; charset="us-ascii" ; format="flowed"
>
>An amusing if merely semi-related followup...
>
>Network Solutions, Inc. (recently acquired by VeriSign for umpteen
>hundreds of Billions of $, and a now major user of RSADSI's "*-SAFE"
>toolkits... hmmm...) announced on 29 June that (as of 07 July, plenty
>of lead time for all you multidomain admins, right?) they're removing
>virtually all handle and domain security, because: "Security for our
>customers has always been a top priority at Network Solutions."
>
>Uh... come again with that undoubleplusgoodbarspeak, please?
>
>Now, if you can wipe the tears of joy from your eyes, you'll see this
>means that the two "secure methods" for domain management they've
>ostensibly been offering for years, i.e. "CRYPT-PW" (which was always
>suspect anyway: they left some chars of your hashed "password" in the
>clear to make ::mumble-mumble:: easier for their Customer Service
>people), and "PGP" (which never really worked anyway as you know if
>you're one of the ~6,000 cypherpunks who tried to log a key and use
>it), are going to be ratcheted down to "MAIL-FROM".
>
>Yes, that's right, Ladies & Germs: MAIL-FROM! And yes, this applies
>to all domains they have in their registry, because it's the new
>"enhancement" to their Guardian service. If you're got a minim of
>grey matter left in your cranium, you can probably guess that this
>means they're soon going to offer another "enhancement" (this one you
>pay for) involving X.509v3 keys...
>
>But! Don't despair yet! Because meanwhile (...tan-tara-taaaah!):
>
> >>..."NSI is enhancing "Mail-From" with an additional e-mail security
> >>check. Specifically, NSI will e-mail a validation request to the
> >>specific administrative and technical contact listed for a domain
> >>name before making any modification to that domain name."  ...
>
>Yep, you've got the idea now: if you want to hijack a domain from an
>NSI customer, boy, you'd best be some kinda ubergeek, 'cause you'll
>be forced to spoof the email _twice_. Ouch! They're really puttin'
>the screws on them nasty "hacker" types, huh? Whew!
>
>If you were confused by this (and when was a message from NSI ever
>not confusing?), naturally you'll go to their website to learn more:
>
> >>To make modifications easier, we provided easy-to-follow
> >>instructions on our web site at:
> >><http://info.networksolutions.com/go/h/security/guardian/>
>
>...where, among the gobbeldygook, in FAQ#4 "What is PGP?", they have
>a moribund hyperlink in the explanation to the "PGP website."
>Ba-dum-dum, plink! OK, so this doesn't really matter _now_, and maybe
>you had to be there back in the day to really appreciate the humor of
>this, but after 4+ years of trying to get N$I to make the PGP option
>work, _I_ found this kinda funny myself...
>
>     dave
>
>PS: <http://www.opensrs.org> ...'nuff said.
>
>
>___________________________________________________________________________
>"And now: we'll be back after a few subliminal messages from our sponsors."
>
>
>------- End of forwarded message -------