Membership is FREE – with unlimited access to all features, tools, and discussions. Premium accounts get benefits like banner ads and newsletter exposure. ✅ Signature links are now free for all. 🚫 No AI-generated (LLM) posts allowed. Share your own thoughts and experience — accounts may be terminated for violations.

Nominet Nominet's new online system (Security Issue?)

Status
Not open for further replies.
Joined
Apr 15, 2005
Posts
634
Reaction score
14
I was just taking a look around the new Online Service site that launched a few weeks ago and one thing struck me.

If you go to Tag Holders --> Summary

You will notice this field:

PGP Keys
#1: XXXXXXXXXXXXXXXX

My understanding of it is that to use the Automaton all you need is this key and it's not IP based like the DAC.

So what's to stop someone gaining access via brute force or by the many other various ways (SQL Injection etc), obtaining the PGP key and having a field day deleting or changing someones domains?

I know it's a pretty stupid question, as that's the same for any registrar anywhere, but before having your own tag has to be one of the most secure ways of holding your domains.

Is there any need for this information to be on the site?, I know personally I would prefer it not to be there.

What does everyone else think?
 
I think they are inviting trouble.

Always have been.

-aqls-
 
nominet only hold your public PGP key.

to be able to generate proper forged automaton requests you would also need the tag holders private key.
 
Last edited:
Yeah.

So if someone bruteforce your password, he can upload a fake public key and then control your TAG with it's private half.
 
vizzy said:
So if someone bruteforce your password, he can upload a fake public key and then control your TAG with it's private half.

that woudn't work - you need both the public and private key to be able to PGP sign a message.

having just the public key is useless :)
 
Dr Viz is saying that brute the online system, upload a totally new keyset ... which would mean you have public and private keys and then could do anything you want.
 
rob said:
Dr Viz is saying that brute the online system, upload a totally new keyset ... which would mean you have public and private keys and then could do anything you want.

ahh i should read posts more thoroughly... i didnt realise you could upload new ones... now that is dodgy...
 
Status
Not open for further replies.
General chit-chat
Help Users
  • No one is chatting at the moment.
      Helmuts @ HelmutsHelmuts is verified member.: Good morning all
      Top Bottom