News
Reviews
   -Icewind Dale
   -TA: Kingdoms - The Iron Plague
   -Deus Ex
   -Terminus
   -Vampire
   -and TONS more...
Previews
   -Elite Force
   -Max Payne
   -Theme Park World
   -and TONS more...
Interviews
   -Space Empires IV
   -Ian Winter
   -Tomas Jachimczak
   -Kelvin Phillips Jolt
   -Sujoy Roy XSi
   -and TONS more...
Features
   -Beta Testing
   -The Best RPGs
   -Mousepadz
   -DotCom Security
   -Gamers Desktops
   -and TONS more...
Forums
Columns
  Submit News
Help Needed
The Admins
Disclaimer
Advertising

  Get Hosted!
Site Directory
Admin Sections
   -Online Manual

   -Account Manager
Hosting Terms


  GibWorld
GibSeek
AnimePlanet
Moddage


GibSeek Search:-


GibWorld Features - DotCom Security
DotCom Security

Author - BloAtEd

     With the release of our new hosting system, we spent some time looking at how best to summarize the process of signing up for a domain name. What we found whilst doing this was an almost unbelievable security hole that, in particular, would affect inexperienced users.   This report will take a look at the process currently used to sign up for a domain name, the problems that exist, and what you need to do to secure your domain.

Signing up for a domain name

     Until recently, signing up for a domain was not for the faint hearted. There were complicated templates that had to be filled in before being e-mailed to Network Solutions, the company responsible for domain registration, for processing. Although the security holes existed in these days many network admins could see the risks and took the necessary steps to remove them.
     Today, Network Solutions has plonked a web front-end on the signup process, other companies (basically middle men) are offering 3rd party registration methods, and domain hosting has become a whole lot cheaper. As a result of all this, more ordinary internet users are getting domain names, trusting that they will be totally secure.
     The current signup process at http://www.networksolutions.com seems simple enough. You choose the domain you want and, if available, continue. You select from a number of packages and options before reaching and completing the account holder information screen. This is the OWNER, but it’s the next screen where you select who CONTROLS the domain.
     Every domain has three contacts associated with it: an administrative contact, a technical contact, and a billing contact. The administrative contact is supposedly the owner of the domain or, if you will, the domain manager. The technical contact controls all technical aspects of domain administration and would e.g., be your ISP. The billing contact pays the bills.  Both the administrative and technical contact have complete control over the domain and worryingly can do this without the ACCOUNT HOLDER (the REAL owner of the domain from it’s registration) finding out. This in itself is not a real problem, because as long as the account holder is running or is aware of who’s running the domain, all is well…
     But what if one of these contacts could be replaced with someone else without anyone knowing?

Authentication Methods

     When either the administrative or technical contacts want to make changes to a domain they need to have their request authenticated. Although the domain signup process is now web based, all changes are still made by sending a “modify” template via email. This would be sent by one of the domain contacts and is authenticated by one of three methods, PGP, CRYPT-PW, or MAIL-FROM (the default.) The first method, PGP (Pretty Good Privacy), is very similar to a digital certificate and almost 100% guarantees that the request is genuine. CRYPT-PW is a method by which every request is sent with a password and, assuming that no-one has access to your mail, is quite secure. MAIL-FROM, the default method, authenticates the changes to the domain by checking the emails FROM address to ensure it’s from the contact. 
     If set up and used correctly, PGP and CRYPT-PW do offer good protection over all the contact’s domains. MAIL-FROM (the DEFAULT authentication method) however, basically allows anyone to make maybe compromising changes to, or even steal control of your entire domain. These ‘changes’ could result in your website being down for several weeks while you frantically try and prove to Network Solutions what has happened.

So What Goes Wrong?

     As Internet experts will know, email is sent with a series of headers before the message body. Many of these you see on your mail program, e.g. To:, CC:, and Subject:. One which you don’t see, however, is ‘From:’. This header is always present, however, and can be set in all mail programs. E.g. in Outlook you simply need to change your reply address in account settings to a new address and recipients will think it came from there. When they hit reply, it obviously won’t go back to you but if you wanted to make them think an email had come from Bill.Gates@microsoft.com, it would be as simple as entering it into this field. 
     With MAIL-FROM authentication, Network Solutions look at the ‘From:’ header. If the address there matches that of one of the domain’s contacts then the action will be performed. No-one will be contacted or warned about the change, it will just happen. (You can manually change this so you ARE warned before the change takes place, see below...) 
     You may think the risk of this occurring is still quite low. After all, how would a malicious user find out the email address of the contacts for the domain? The answer is very easily. All details of domains are stored in a huge database known as the whois database. Records can be looked up on, surprise surprise, http://www.networksolutions.com. 
     So to ruin a users website could be as simple as: Looking up a domain name, finding out a contacts email address, completing one of the modification templates, changing your reply address, and emailing the template to our friends Network Solutions.

Changing Your Authentication Type

     Network solutions offer a template creator for modifying contact records and using it is fairly simple. By upgrading your contact record’s auth method, and by ensuring that any other contact who controls your domains has done the same, everything automatically becomes more secure. 
     To upgrade your contact template you will need to find out your NIC handle, an id given to all contacts. The best way to do this is to look at the whois entry for your domain at http://www.networksolutions.com/cgi-bin/whois/whois. The NIC handle will be next to your personal details. If you find while doing this that your ISP has assumed both the Administrative and Technical contact roles you may want to get in touch.
     Once you know your NIC handle, make your way to http://www.networksolutions.com/cgi-bin/makechanges/itts/handle and choose to modify an existing contact. When you get asked for your current authentication method you must choose MAIL-FROM. Check over your personal details. You may like to consider changing ‘notification’ to BEFORE-UPDATE. This will ensure that you can authorize ANY changes, even valid ones, to modify your domain before they happen. Proceed to setting a new authentication method (CRYPT-PW is a good one to go for if you are a new user.) The wizard will generate a form and e-mail it to you. You must in turn email this to hostmaster@internic.net (make sure your reply address is that on the contact record :).  You should receive confirmation when the request is completed.

 

Conclusion

     I find it a joke that a company at the heart of the Internet is still using such an out-of-date method of authorization. Admittedly when domain names were first being registered, the web did not exist; however, when you look at the 128-bit encryption that protects websites today, you can’t help but wonder why this security hole exists. I would like to see the whole method of registering/updating domains completely revised and made as secure as other actions critical to business such as banking and shopping.

***Last Words/Disclaimer: Attempts to illegally modify domains can almost certainly be traced. The only person who has a legal right over a domain is the account holder. I do not recommend/condone attempts to modify domains in this way unless you are just performing a test to prove or disprove the security of your domain.***

Signing up for web space can CURE premature aging.

So you've opted to be a beta tester and get games ahead of all your friends, but is it all that is cracked up to be? In this article we discuss the job itself, and the work it entails.

So you've opted to be a beta tester and get games ahead of all your friends, but is it all that is cracked up to be? In this article we discuss the job itself, and the work it entails.

GW Admins
BloAtEd -
[13/08/2000]
D4N73 - [10/08/2000]
Bobertchin - [03/08/2000]
Spooky - [28/07/2000]
Man1c-M0g - [21/07/2000]
eXecutioner - [16/07/2000]

GW Guests
diesel -
[13/08/2000]
Woolley - [13/08/2000]
Crespo - [07/08/2000]
flopz - [21/07/2000]
Horus - [18/07/2000]
MINS - [15/07/2000]
reaps - [12/07/2000]
wrECK - [05/07/2000]
fab_fiona - [02/07/2000]
Cage - [27/06/2000]
K3nZ - [17/06/2000]
Gaz - [17/06/2000]
Ven - [08/06/2000]
wabut - [04/06/2000]
KenwooD - [27/05/2000]
avatar - [18/05/2000]
smiler - [13/05/2000]
UkSiR - [13/05/2000]
templar - [03/05/2000]
Bl4sT - [28/04/2000]
Melachi - [25/04/2000]
Kain - [24/04/2000]
Kaos - [18/04/2000]
Slash - [06/04/2000]
Gunner - [02/04/2000]
kevman - [27/03/2000]
Scum - [20/03/2000]
 
List Columners
List ALL Postings
 Signup For A Column


Mod-Scene

Looking for the latest mod news, reviews, previews, and info for a multitude of games? Mod-Scene has it all, and more!

 

 

 

 

 































 

 

© Copyright 1999 - 21st Century, GibWorld Networks. All Rights Reserved.