[ga] NSI insecurity

[Sandy Harris <sandy@storm.ca>]

Is mismanagement of the domain name space considered on-topic for this
ICANN list? Methinks it should be, so I'm forwarding this.

The message turned up on the cypherpunks list. If that term is new to
you, you can grab some context at:

http://www.offshore.com.ai/security/
http://www.oberlin.edu/~brchkind/cyphernomicon/

Dave Del Torto wrote:
> 
> An amusing if merely semi-related followup...

This appeared amid a discussion of legal/licensing BS from RSADSI.
Subject was "Has RSADSI Lost their mind?".
 
> Network Solutions, Inc. (recently acquired by VeriSign for umpteen
> hundreds of Billions of $, and a now major user of RSADSI's "*-SAFE"
> toolkits... hmmm...) announced on 29 June that (as of 07 July, plenty
> of lead time for all you multidomain admins, right?) they're removing
> virtually all handle and domain security, because: "Security for our
> customers has always been a top priority at Network Solutions."
> 
> Uh... come again with that undoubleplusgoodbarspeak, please?
> 
> Now, if you can wipe the tears of joy from your eyes, you'll see this
> means that the two "secure methods" for domain management they've
> ostensibly been offering for years, i.e. "CRYPT-PW" (which was always
> suspect anyway: they left some chars of your hashed "password" in the
> clear to make ::mumble-mumble:: easier for their Customer Service
> people), and "PGP" (which never really worked anyway as you know if
> you're one of the ~6,000 cypherpunks who tried to log a key and use
> it), are going to be ratcheted down to "MAIL-FROM".
> 
> Yes, that's right, Ladies & Germs: MAIL-FROM! And yes, this applies
> to all domains they have in their registry, because it's the new
> "enhancement" to their Guardian service.

Anyone in the crowd who does not see a problem here, note that most of
the cryptographers, security professionals or system-crackers reading
this are either weeping or rolling on the floor laughing. I'm just
shaking my head.

> If you're got a minim of grey matter left in your cranium, you can
> probably guess that this means they're soon going to offer another
> "enhancement" (this one you pay for) involving X.509v3 keys...

Now I'm weeping. He's probably right. They've dumped PGP, a workable
solution even if they never made it work, likely in order to replace
it with something clumsier and less effective, apparently because
this is likely to enhance their revenue.

Is it part of ICANN's responsibility to rein in NSI's excesses?
If so, methinks a start is badly overdue.

> But! Don't despair yet! Because meanwhile (...tan-tara-taaaah!):
> 
> >>..."NSI is enhancing "Mail-From" with an additional e-mail security
> >>check. Specifically, NSI will e-mail a validation request to the
> >>specific administrative and technical contact listed for a domain
> >>name before making any modification to that domain name."  ...
> 
> Yep, you've got the idea now: if you want to hijack a domain from an
> NSI customer, boy, you'd best be some kinda ubergeek, 'cause you'll
> be forced to spoof the email _twice_. Ouch! They're really puttin'
> the screws on them nasty "hacker" types, huh? Whew!
> 
> If you were confused by this (and when was a message from NSI ever
> not confusing?), naturally you'll go to their website to learn more:
> 
> >>To make modifications easier, we provided easy-to-follow
> >>instructions on our web site at:
> >><http://info.networksolutions.com/go/h/security/guardian/>
> 
> ...where, among the gobbeldygook, in FAQ#4 "What is PGP?", they have
> a moribund hyperlink in the explanation to the "PGP website."
> Ba-dum-dum, plink! OK, so this doesn't really matter _now_, and maybe
> you had to be there back in the day to really appreciate the humor of
> this, but after 4+ years of trying to get N$I to make the PGP option
> work, _I_ found this kinda funny myself...

PGP is the obvious thing to use. Unlike the MAIL_FROM stuff it can
actually be made secure, though there's a non-trivial amount of work
involved.

Most system admins will already have PGP set up since it is routinely
used in other admin applications. For example, many software distributions
(e.g. sendmail and BIND) use PGP signatures, as do security alerts from
CERT and other such organisations, rmgroup and newgroup requests for
Usent news administration, ... 

A failure by NSI to support PGP is incredibly dumb and a serious security
risk.

>     dave
> 
> PS: <http://www.opensrs.org> ...'nuff said.
> 
> ___________________________________________________________________________
> "And now: we'll be back after a few subliminal messages from our sponsors."
--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html