
Zero-confirmation inter-account transfers of .uk domains with eNom - fanf2
https://m.pr/enom-advisory-20170901.html
======
taspeotis
The timeline at the end is painful reading, especially with the time delta.

    
    
        2017-09-01 (+122 days) - Errata made public and notification sent to NameCheap and Nominet.
        2017-09-02 (+122 days and 9 hours) - eNom disable inter-account .uk transfers
    

122 days notice to achieve nothing meaningful and then ... 9 hours once it
goes public.

~~~
justinjlynn
This is precisely why full disclosure is a valid and correct option once the
vendor has shown that they are either unwilling or unable to address the
security concern in a timely and/or competent manor.

------
lol768
This was really poorly handled on eNom's part. No bug bounty programme,
inability to comprehend the problem, ticket closed without resolution and then
they only fixed the issue after their hand was forced.

I, for one, will be transferring all my domains away from eNom. This sort of
response to a critical issue is just inexcusable.

~~~
unkown-unknowns
I've tried a bunch of different registrars and ended up with gandi.net whom
I've been with for several years now and am very happy with. Switch to gandi.

~~~
djmobley
Gandi are expensive and I had a nightmare experience where they literally lost
one of my domains on an inward transfer.

Customer service was unhelpful and downright rude.

Never had any problems with Namecheap.

~~~
Karunamon
Namecheap has a good service but their lack of proper 2 factor auth (opting
for only SMS which is really broken[1] rather than proper TOTP) scared me away
a while ago.

After raising this issue last February, they said it was coming soon. A year
and some more of no action later, I transferred all my domains out since using
known-broken security apparently isn't a priority for them, and it probably
reflects in other and harder-to-see ways.

[1]:
[https://www.theregister.co.uk/2016/07/24/nist_says_sms_no_go...](https://www.theregister.co.uk/2016/07/24/nist_says_sms_no_good_for_authentication)

~~~
djmobley
It's not full TOTP support, but they do now offer 2FA via an Authy OneTouch
implementation.

~~~
Karunamon
I did not know that! Looks like[1] it went live back in July. I still wish
they'd have used TOTP rather than this onetouch thing that's restricted to a
single app, but just about anything was better than SMS, so this is a welcome
development.

[1]: [https://blog.namecheap.com/announcing-
onetouch-2fa/](https://blog.namecheap.com/announcing-onetouch-2fa/)

------
pricechild
Nominet don't do any verification when these transfers are made.

Most registrars I've checked don't do any verification themselves either.

Here's an example of the race conditions many registrars fall to:
[http://blog.pricechild.co.uk/2016/06/uk-domain-transfers-
are...](http://blog.pricechild.co.uk/2016/06/uk-domain-transfers-are-
scary.html)

Nominet allow you to enable 2fa on your account but this means sweet fa. It
doesn't stop transfers by other actors.

------
sitepodmatt
The handling of this is so fcked, respect to you for remaining patient and
persistent. How could they possibly forget to implement some authentication
for transfers in 2017? I love how it took 122 days of brain dead support
tennis, then only 9hrs to fix after going public - then again 9hr response to
this is also pretty bad considering

I'm really reconsidering if I want to keep anything in Namecheap going
forward.

~~~
themgroup
We did lose our temper to be honest, however we could only publish the errata
once our domains were transferred away which took 6 weeks or so to complete.
We've moved to Gandi if you were after a recommendation!

------
0x0
This reflects extremely poorly on eNom and NameCheap. I might consider moving
the domains I have with them now...

~~~
blibble
good luck if it's a .uk domain, I tried moving a couple of mine away and
eventually had to force the transfers through nominet, which cost me money!

thankfully .uk domains have this option, otherwise I would have been screwed

their support kept saying "its the fault of the registry"... I did a test from
another supplier for transferring a .uk domain and it went through
instantaneously

66 days after I forced the transfer I received the email from namecheap saying
"domain transferred out"... what the hell

namecheap's systems appear to be antiquated and the support are worse than
useless

I would advise anyone avoids "resellers" for domains, at least if you go
directly to the registrar there's one level of bullshit removed

~~~
sitepodmatt
This could be Nominet fault. Years ago as a registar had to send PGP signed
emails to some Nominet automated address to make changes or register UK
domains, it was clumsy, slow and you had to maintain the state yourside.
Nominet then got some independence, a CTO, a sales/business dev department
dedicated basically to domain snippers, and Oracle got a ton loads of money
(it was one of giant Sun mainframes if I recommend correctly) and it was still
a PITA. This was 15 years ago apparently it is still a train wreck. When you
start making decisions on the golf course its very difficult to recover

~~~
0x0
This is interesting. I know that some TLDs have very antiquated, 100% manual
management of registrations and transfers, although I wasn't aware that .uk
was one of them. So to be fair it might not be eNoms fault.

The timeline with over 122 days before any useful action was taken, coupled
with the apparent misunderstanding and LOCKING of the reporter's account,
still reflects extremely poorly on eNom's support department.

~~~
sitepodmatt
Internic used to send you a paper invoice a few months after registering a
.net, you then had to tear it off and send a us$70 check to them - and this
applied if you were in the UK too, that all changed with joker.com iirc.
Nominet system was just poorly engineered, slow (occasionally took hours) and
damn right nasty to use in an end to end automated fashion - parsing emails
for clues of errors etc.. The Oracle upgrade was just OTT for a system
managing maybe 5m domains at the time (not an NS provider, although maybe they
managed a root), the early 2000 version of big data, big money and loads of
golf (Im guessing on the golf).

------
tinus_hn
Awful. There should be a way to force companies that are so clearly in the
wrong into compliance.

------
themgroup
Cheers for submitting this again Tony! :)

