An amusing if merely semi-related followup...
Network Solutions, Inc. (recently acquired by VeriSign for umpteen
hundreds of Billions of $, and a now major user of RSADSI's "*-SAFE"
toolkits... hmmm...) announced on 29 June that (as of 07 July, plenty
of lead time for all you multidomain admins, right?) they're removing
virtually all handle and domain security, because: "Security for our
customers has always been a top priority at Network Solutions."
Uh... come again with that undoubleplusgoodbarspeak, please?
Now, if you can wipe the tears of joy from your eyes, you'll see this
means that the two "secure methods" for domain management they've
ostensibly been offering for years, i.e. "CRYPT-PW" (which was always
suspect anyway: they left some chars of your hashed "password" in the
clear to make ::mumble-mumble:: easier for their Customer Service
people), and "PGP" (which never really worked anyway as you know if
you're one of the ~6,000 cypherpunks who tried to log a key and use
it), are going to be ratcheted down to "MAIL-FROM".
Yes, that's right, Ladies & Germs: MAIL-FROM! And yes, this applies
to all domains they have in their registry, because it's the new
"enhancement" to their Guardian service. If you're got a minim of
grey matter left in your cranium, you can probably guess that this
means they're soon going to offer another "enhancement" (this one you
pay for) involving X.509v3 keys...
But! Don't despair yet! Because meanwhile (...tan-tara-taaaah!):
>>..."NSI is enhancing "Mail-From" with an additional e-mail security
>>check. Specifically, NSI will e-mail a validation request to the
>>specific administrative and technical contact listed for a domain
>>name before making any modification to that domain name." ...
Yep, you've got the idea now: if you want to hijack a domain from an
NSI customer, boy, you'd best be some kinda ubergeek, 'cause you'll
be forced to spoof the email _twice_. Ouch! They're really puttin'
the screws on them nasty "hacker" types, huh? Whew!
If you were confused by this (and when was a message from NSI ever
not confusing?), naturally you'll go to their website to learn more:
>>To make modifications easier, we provided easy-to-follow
>>instructions on our web site at:
>><http://info.networksolutions.com/go/h/security/guardian/>
...where, among the gobbeldygook, in FAQ#4 "What is PGP?", they have
a moribund hyperlink in the explanation to the "PGP website."
Ba-dum-dum, plink! OK, so this doesn't really matter _now_, and maybe
you had to be there back in the day to really appreciate the humor of
this, but after 4+ years of trying to get N$I to make the PGP option
work, _I_ found this kinda funny myself...
dave
PS: <http://www.opensrs.org> ...'nuff said.
___________________________________________________________________________
"And now: we'll be back after a few subliminal messages from our sponsors."
