Membership is FREE, giving all registered users unlimited access to every Acorn Domains feature, resource, and tool! Optional membership upgrades unlock exclusive benefits like profile signatures with links, banner placements, appearances in the weekly newsletter, and much more - customized to your membership level!
Sedo - Global Domain Report Survey 2025

Nominet's new online system (Security Issue?)

Status
Not open for further replies.
R

retired member 1

Joined
Apr 15, 2005
Posts
634
Reaction score
15
I was just taking a look around the new Online Service site that launched a few weeks ago and one thing struck me.

If you go to Tag Holders --> Summary

You will notice this field:

PGP Keys
#1: XXXXXXXXXXXXXXXX

My understanding of it is that to use the Automaton all you need is this key and it's not IP based like the DAC.

So what's to stop someone gaining access via brute force or by the many other various ways (SQL Injection etc), obtaining the PGP key and having a field day deleting or changing someones domains?

I know it's a pretty stupid question, as that's the same for any registrar anywhere, but before having your own tag has to be one of the most secure ways of holding your domains.

Is there any need for this information to be on the site?, I know personally I would prefer it not to be there.

What does everyone else think?
 
I think they are inviting trouble.

Always have been.

-aqls-
 
nominet only hold your public PGP key.

to be able to generate proper forged automaton requests you would also need the tag holders private key.
 
Last edited:
Yeah.

So if someone bruteforce your password, he can upload a fake public key and then control your TAG with it's private half.
 
vizzy said:
So if someone bruteforce your password, he can upload a fake public key and then control your TAG with it's private half.
Click to expand...

that woudn't work - you need both the public and private key to be able to PGP sign a message.

having just the public key is useless :)
 
Dr Viz is saying that brute the online system, upload a totally new keyset ... which would mean you have public and private keys and then could do anything you want.
 
rob said:
Dr Viz is saying that brute the online system, upload a totally new keyset ... which would mean you have public and private keys and then could do anything you want.
Click to expand...

ahh i should read posts more thoroughly... i didnt realise you could upload new ones... now that is dodgy...
 
Status
Not open for further replies.

Similar threads

it.com
it.com How to Fix “Your Connection To This Site Is Not Secure” Issue: A Guide for Website Owners
Replies
0
Views
215
it.com
it.com
it.com
it.com it.com Domains at the Cybersecurity Conference CyberChess in Riga
Replies
0
Views
143
it.com
it.com
it.com
it.com 8 Ways to Extend Your Trademark Online with Domain Name Registration
Replies
0
Views
130
it.com
it.com
Acorn Newsbot
Nominet How would you create a kinder online world?
Replies
0
Views
227
Acorn Newsbot
Acorn Newsbot
J
New questions plus Have I messed up? uk2.uk was available...
Replies
4
Views
383
Jam
J

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Members online

Total: 785 (members: 7, guests: 778)
IT.com

Premium Members

Sedo
Aucdom Auctions
dot Hiphop

Latest Comments

Upcoming events

New Threads

Other domain forums

Other domain forums.
Global
Asia
Europe
North America
Oceania & Australia

Our Mods' Businesses

DomainUI Mod
*the exceptional businesses of our esteemed moderators
DDCamp Alsace Domain name conference - March 21, 2025 - Strasbourg (France)
General chit-chat
Help Users
  • No one is chatting at the moment.
      There are no messages in the current room.
      Top Bottom