mailing list archives
Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability
From: Peter W <peterw () usa net>
Date: Fri, 8 Jun 2001 16:06:02 -0400
On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:
While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form. While the
password is transmitted via a secure session, the encrypted form is
returned almost immediately in a non-encrypted www session. Also, this
password is typically emailed back and forth to the user no less than two
times (and often times more). This allows several opportunities for
someone to observe the encrypted password, this in and of itself is not
Plus when you submit a change request template, your email contains the
plaintext password. :-(
And that's the problem: not the crypt routine, but the cleartext data xfer.
Do not use the Crypt-PW authentication-scheme. Instead use the MAIL_FROM
or PGP scheme instead.
If someone attempts to make changes to a domain with a Network Solutions
old-style admin or billing handle, Network Solutions will email the
responsible handle's address. With MAIL_FROM, the email address is availble
via a whois query. Easily obtained, easily spoofed, and if you get cracked,
you have to get NetSol involved to clean up. *Do NOT use mail_from!!!*
You're in just as much trouble if someone gets your encrypted NetSol
CRYPT-PW password. But, unlike the email address, the encrypted password is
not readiliy available. An attacker without the encrypted password can only
attempt to guess the password. And the attacker must send a change request
to test their guess. And you get emailed each time they try. The only
effective way to crack a CRYPT-PW handle is to sniff the email channel [so
the Echelon folks probably know all our NetSol CRYPT-PW passwords ;-)].
Which gets us to footnote : for many months, Network Solutions has been
using a fully Web-based system for domain/handle maintenance.
So to the extext you're concerned about CRYPT_PW, I'd suggest two viable
alternatives: change the authentication method to PGP (very easy), or create
new NIC handles for the Web-based management system and transfer your
domains' contact handles to the Web-based handles. Those with many domains
will likely find the Web-based interface annoying, especially for batch
But for goodness' sake, do *not* use MAIL_FROM !!!
If you must use CRYPT-PW then the following suggestions are recommended:
Changing your password means sending the cleartext value to NetSol via
email. So changing your password involves risk. :-(