DomainTools.com Can't Be Trusted...!

[compuXP]

Anybody else notice this at registration at www.domaintools.com (the former whois.sc site) ...?

SCREENSHOT: http://img199.imageshack.us/img199/1429/stupiddomaintools5oa.jpg

The screenshot I took and captions I added explain it all really...

Are our passwords encrypted in their database? This is now what, 250,000 DomainTools.com users? How many of them are at risk? Shouldn't they DO something about this?

-Matt

 

[jdk]

Do you have a pay account or free account?

When you get to the upgrade form it changes to https since it is transmitting sensative data.

Sure they could confirm an account without having the info you posted in the URL, but it doesn't matter. if someone wanted to take my email or password for domain tools go ahead. They won't get much except 10 IP lookups per day.

 

[compuXP]

Free. What does that have to do with things? Maybe I use that password for other things too (not everything; just some things) .... you think the pay account would be "more secure"...?

 

[typeins]

Dont use them then i guess

 

[Bender]

Are our passwords encrypted in their database?

a simple test to find out is to use the "Forgot password" tool.if you receive the password via email, it was not stored in an encrypted form.
as a rule, never share password for multiple sites.
Use your own algorithm when you create your passwords, ie:
-password_text1-DNF-Password_continues
-password_text1-yahoo-Password_continues
-password_text1-whois.sc-Password_continues
This is a simple algorithm, you can create your own.
Always make sure the pass gets sent via https.

 

[compuXP]

Oh, great. So blame the user for the site's fault of brodcasting your passwords? As a web developer, I am FIRMLY against this. The user shouldn't have to worry about it.

 

[jdk]

Maybe I use that password for other things too (not everything; just some things)

There is your problem right there. Sure it could not be displayed there, but not something "I wouldn't trust them" over.

you think the pay account would be "more secure"...?

You are only talking about registration. When you go to login you won't have any of that in the address bar.

Dont use them then i guess

Just more bandwidth for me to do my checks with.

 

[SouthernTn]

No one is blaming you. When signing up at any website becareful with the passwords you're using, JUST INCASE, something like this happens.

 

[jdk]

I hope DT doesn't take the title of your thread as slander.

 

[Ian]

i'm also a victim of the domaintools website if what you claim is true since i've signed up an account with them. but to whom do we complain to when this website is obviously compromising on confidentiality of it's members?

 

[Bender]

I think you are exaggerating a little.
Unless you send sensitive information, like credit cards or SSN, unencrypted connections are "normal" -ie before using the client-side encryption, all Vbulletin based sites were like this, and phpBB sites still are .
the fact that you don't see the password in clear text in the URL does not mean the bad guys can't.
DomainTools used GET, while most of the passwords are sent via POST - both can be easily read by someone monitorizing your web traffic with sniffers.

 

[jdk]

A victim? This isn't anything to worry about. op2:

IT Web Team has the right perspective. No worries all.

 

[westerdal]

Thanks for pointing the GET request out, I will have someone change it to a POST request. If you notice something in the future, we have a support website at http://support.domaintools.com/

Feel free to just let us know directly. I don't want you call you an alarmist but the type of request method is a little overboard for a post on a forum. Just send us an email.

 

[anything]

Good advice, I used domaintools everyday./

 

[Preoccupy]

Thank you for the good and valuable informations!

 

[NameAlot.com]

Domaintools is an awesome site.... a simple email is all that was warranted.... I think this post is overboard and a little slanderous if u ask me

 

[ColdGin]

I use domaintools a lot and didn+t knew that....Seems to me, as one here said that this is not to worry if you only use this kind of information and not credit card info or other critical info...

The info they give the subscribers users are very basic and nothing private. All that stuff can be searched in other websites.