On Tuesday 03 April 2007 18:35, Donald Stahl wrote:
The problem here is that the community gets screwed not the guy paying $8.95. If he was getting what he paid for- well who cares. The problem is everyone else.
At the risk of prolonging a thread that should die.... Gadi forwarded a post suggesting DNSSEC is unneeded because we have security implemented elsewhere (i.e. SSL). Thus how does it affect me adversely if someone else registers a domain, if I don't rely on the DNS for security? Much of the phishing I see is hosted on servers that have been compromised, I guess that is cheaper than the $8.95 for a domain. If there is evidence that domain tasting is being used for abusive practices, I'm sure the pressure to deal with it will increase. Much as I think the practice is a bad thing, I don't see it as a major security issue. The reason domain registration works quickly, is that it was a real pain when they didn't (come on it wasn't that long ago). People registering domains want it up and running quickly, as humans aren't good at the "I'll check it all in 8 hours/2 days/whatever". I'm sure prompt registration/activation/changes of domains is in general a good thing, resulting in better DNS configurations. Sure it is possible domains will be registered for abusive activity, and discarded quickly, with a difficult path in tracing such. But if there is some sort of delay or grace period it won't make a difference. When domains took days to register spammers waited days. I don't suppose phishers are any less patient. Validation of names, addresses, and such like is impractical, and I believe inappropriate. There is a method for such validations (purchase of SSL certificates), and even there the software, methods, and tools are pitiful. Why should the domain registrars be expected to do the job (or do it better?), when it could be equally argued that ISPs are is a better position to police the net. The credit card companies are good at passing chargeback fees to the vendor, so be assured if people are using fraudulent credit card transactions, the domain sellers will have motivation to stop selling them domains. The essential problem with Internet security is that there is little come back on abusers. There have been obvious and extensive advanced fee fraud run from a small set of IP addresses in Europe, using the same national telecomm provider as a mail relay, and it took 4 years to get any meaningful action (I assume the recent drying up of such things was a result of action, the fraudster may just have retired with their ill gotten gains for all I know!). There are specific technical, and market issues, but without any real world policing, the abusers will keep trying, till either they succeed or go bust. If they succeed they may well go on to become part of more organized abuse. The other problem is that their is no financial incentive for ISPs to do the "right thing". Where as domain registrars can cancel a domain, and get another sale from the same abuser - so they have a financial incentive to clean up. If ISPs close an account, the person will likely just switch ISP. A classic example I commented on recently was "Accelerate Biz", unrepentant spammers (at least their IP address range is from here, either that or so thoroughly incompetent they might as well be). Their inbound email service is filtered by "Mail Foundry", but despite being an "antispam" provider, Mail Foundry have no financial incentive to stop providing services to these spammers. Till companies (ISPs included) are fined for providing such services, so it isn't profitable, we'll be spammed. Port 25 SYN rate limiting isn't that much harder than ICMP ;) Simon, speaking in a personal capacity, views expressed are not necessarily those of my employers.