

Gandi registrar giving away usernames in WHOIS - jmilkbal

If you&#x27;ve registered a domain through Gandi, the WHOIS information readily divulges your account handle and Gandi support refer users who&#x27;ve forgotten their handle to refer to it. Registries don&#x27;t necessarily include all the information a registrar sends, but going to Gandi&#x27;s WHOIS server directly never fails to give all the information and handle. I&#x27;ve submitted a customer service complaint about the issue.<p><pre><code>  When looking at the whois information for domains registered through Gandi the gandi handle is included. Other registrars do not include the usernames holding the domains. Gandi showing this information is an *extreme* security issue. Rather than guessing the username, the registry lays it out explicitly for all to see.
</code></pre>
I encourage others to contact them as well.
======
dangrossman
This is the least of the downsides of choosing Gandi... like not being able to
run any kind of UCG site (including simply hosting blog comments), not being
able to discuss hacking of any type on any domain registered through them, not
being able to host any kind of adult content, not being able to host any
content that might offend anyone...

Have you read the service agreement? Particularly the part about upholding
their ethical code and guaranteeing that anyone else you allow to publish
content will uphold that code?

~~~
jmilkbal
The EFF using Gandi is enough of a blessing for me. I've also never heard of
Gandi enforcing their ToS in that manor. I did quite a lot of research on
Gandi before choosing them. Finding complaints about their behavior is
difficult.

------
resistor3672
I work for Gandi in the US (full disclosure, here). We have been looking at
this issue in particular lately. There are a few ways we can beef up login
security, but the bottom line is that it's a balance between that security and
the inconvenience of lost login names. Many, many, people forget their logins,
and this makes it easy to retrieve. This is more of a problem with accounts
that you log into once a year or two, like registrars (Hint: use password
storage software!). That being said, we are actively working on a more
convenient way to configure logins to provide security than this legacy
method. I expect we will be addressing this in the next couple of months.

------
jmilkbal
Response from Gandi support:

    
    
      Thank you for your feedback. 
    
      This is due to the way our system was originally designed with some registrars. Indeed, this is not the case for all the extensions and varies according to which registry is returning the whois information. 
    
      However we agree that it might cause issues so we are currently working on a new authentication system to fix this. This new system should be released in a few months from now. Thank you for your patience and for your understanding. 
    
      If you have any further questions, please let me know.

