On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote: > While crypt password authentication is not in and of itself very secure, > Network Sulotions have made it even less so by including the first two > characters of the password as the salt of the encrypted form. While the > password is transmitted via a secure session, the encrypted form is > returned almost immediately in a non-encrypted www session. Also, this > password is typically emailed back and forth to the user no less than two > times (and often times more). This allows several opportunities for > someone to observe the encrypted password, this in and of itself is not > good. Plus when you submit a change request template, your email contains the plaintext password. :-( And that's the problem: not the crypt routine, but the cleartext data xfer. > Possible Workarounds: > > Do not use the Crypt-PW authentication-scheme. Instead use the MAIL_FROM > or PGP scheme instead. If someone attempts to make changes to a domain with a Network Solutions old-style[0] admin or billing handle, Network Solutions will email the responsible handle's address. With MAIL_FROM, the email address is availble via a whois query. Easily obtained, easily spoofed, and if you get cracked, you have to get NetSol involved to clean up. *Do NOT use mail_from!!!* You're in just as much trouble if someone gets your encrypted NetSol CRYPT-PW password. But, unlike the email address, the encrypted password is not readiliy available. An attacker without the encrypted password can only attempt to guess the password. And the attacker must send a change request to test their guess. And you get emailed each time they try. The only effective way to crack a CRYPT-PW handle is to sniff the email channel [so the Echelon folks probably know all our NetSol CRYPT-PW passwords ;-)]. Which gets us to footnote [0]: for many months, Network Solutions has been using a fully Web-based system for domain/handle maintenance. So to the extext you're concerned about CRYPT_PW, I'd suggest two viable alternatives: change the authentication method to PGP (very easy), or create new NIC handles for the Web-based management system and transfer your domains' contact handles to the Web-based handles. Those with many domains will likely find the Web-based interface annoying, especially for batch updates. But for goodness' sake, do *not* use MAIL_FROM !!! -Peter > If you must use CRYPT-PW then the following suggestions are recommended: Changing your password means sending the cleartext value to NetSol via email. So changing your password involves risk. :-(
This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 15:38:52 PDT