Domainz.net.nz security

Forums › IT Pro and developers › Domainz.net.nz security

Jeeves

301 posts

Ultimate Geek

#171160 8-Apr-2015 15:24

So I just signed up with domainz to register a domain, thinking they have been around for ages and pretty trustworthy.

1) Their credit card sign up page is not secured.
2) They sent me my password in plain text in my signup email! This obviously proves that they don't encrypt the passwords on their database, and to send it over email?

Wondering if this is grounds enough for me to request that they refund my purchase?

1 | 2

2096 posts

Uber Geek

#1279096 8-Apr-2015 15:31

Domainz continue to drive me utterly mad every time I have to deal with them. Account managers that take days to respond to an email, 20+ minutes waits on phone. We are not a small customer, we have 250+ domains.

Regarding password in email - they may capture it when you sign up and email, then encrypt and store in DB. But I may be giving them more credit than they deserve.

I would strongly recommend against putting your cc details into an unsecured form, ever.

They also get you to phone for ANYTHING registrar related - very little possible online - it is mental in 2015 I have to spend an hour on the phone to transfer a domain.

1stdomains in comparison I transferred 8 domains online, in under an hour.

Jeeves

301 posts

Ultimate Geek

#1279099 8-Apr-2015 15:34

Hmm. Damn. I've registered my domain with them - is there a cool off period etc or can they now hold it ransom? I want to cancel my account now :(

timmmay

20580 posts

Uber Geek

Trusted

Lifetime subscriber

#1279111 8-Apr-2015 15:53

You can move domains easily, any time, from any reputable registrar. In NZ I think you just need the UDAI code and transfer it anywhere.

mattwnz

20155 posts

Uber Geek

#1279112 8-Apr-2015 15:53

If you just registered a NZ domain, you can cancel it within 5 days anyway. Not sure if they are required to give a refund though, although most NZ registrars do refund if you cancel a NZ domain within 5 days. You would need to ask them.

gzt

17122 posts

Uber Geek

Lifetime subscriber

#1279121 8-Apr-2015 16:16

2) doesn't prove passwords are not encrypted but at least makes it more likely any enc is not one way if it exists at all.
1) is this even allowed by cc com's? Sure it's not a frame? Look at source.

Check the facts before conclusions.

geocom

594 posts

Ultimate Geek

Subscriber

#1279124 8-Apr-2015 16:19

Jeeves: 2) They sent me my password in plain text in my signup email! This obviously proves that they don't encrypt the passwords on their database, and to send it over email?

There is no way you can come to this conclusion.

You send the server your password in plain text(SSL encrypts this between you and the server.)

So when you sign up or login the server receives your password if it encrypts it, it can still email you the password in plain text as it has it from the request you sent it.

Its not a good thing to do as email is not encrypted anyway but it does not prove that the server stores your password in plain text.

If on the other hand you happen to tell them you have lost your password and they send it to you or tell you it then yes the password is stored in plain text or a weak encryption method that allows them to decrypt it themselves.

Geoff E

wasabi2k

2096 posts

Uber Geek

#1279132 8-Apr-2015 16:27

Jeeves: Hmm. Damn. I've registered my domain with them - is there a cool off period etc or can they now hold it ransom? I want to cancel my account now :(

You can transfer to another registrar pretty much for nothing - just need the UDAI - which Domainz can generate for you.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Note that to use Quic Broadband you must be comfortable with configuring your own router.

kiwitrc

4123 posts

Uber Geek
Inactive user

#1279160 8-Apr-2015 16:53

Ha, I got an email from Zeald to say one of their staff had copied details of its clients and was threatening to contact them. They gave details on how to change passwords etc for accounts.

Just shows even the best security amounts to nothing if someone decides to walk out with your details.

robcreid

243 posts

Master Geek

#1279170 8-Apr-2015 17:14

I moved off them some time ago.
I didn't trust them after they got hacked.
What annoyed me the most was not that they got hacked but that I only found out about it via the tech press. There didn't appear to be any customer communication about it.

MackinNZ

450 posts

Ultimate Geek

Lifetime subscriber

#1279186 8-Apr-2015 17:52

Move your domain to Metaname. Great service & support. Easy DNS management. Low cost.

Jeeves

301 posts

Ultimate Geek

#1279442 9-Apr-2015 08:42

Thanks, I'll move the domain asap and dispute the charge.

For those assuming that I don't know the facts etc:

They sent my email in plain text. I am aware that they can encrypt it after sending the email, so I did a password reset to double check and lo and behold, they sent my password and username AGAIN in plain text. Ergo, my password is not encrypted on their DB.

The credit card page is encrypted I should add - with TLS 1.0, MD5 and RC4 128. All of these are considered completely insecure these days, so as far as I am concerned, the CC page is not encrypted.

Edit: Boo. I have to wait 5 days before transferring the domain.

alasta

6704 posts

Uber Geek

Trusted

Subscriber

#1279486 9-Apr-2015 09:33

I used to work for Domainz up until about five years ago. I won't go into detail about their back end systems or processes in a public forum, but if anyone really needs to know about this then feel free to PM me.

As I understand it you have two options:
- Cancel the registration within five days and re-register somewhere else. Domainz will not incur any downstream cost from the registry and should refund you, although you may encounter some resistance.
- Leave the registration active and transfer it to another registrar. Your payment to Domainz will not be refunded, but the new registrar will honour the registration term that you originally paid for and you will pay them the next time the renewal is due.

itxtme

2102 posts

Uber Geek

#1279511 9-Apr-2015 10:14

Jeeves: Thanks, I'll move the domain asap and dispute the charge.

For those assuming that I don't know the facts etc:

They sent my email in plain text. I am aware that they can encrypt it after sending the email, so I did a password reset to double check and lo and behold, they sent my password and username AGAIN in plain text. Ergo, my password is not encrypted on their DB.

The credit card page is encrypted I should add - with TLS 1.0, MD5 and RC4 128. All of these are considered completely insecure these days, so as far as I am concerned, the CC page is not encrypted.

Edit: Boo. I have to wait 5 days before transferring the domain.

What Alasta said, you dont need to cancel or dispute the payment. Get the UDAI, use it at new registrar- pay nothing more until it comes up for renewal again..

gzt

17122 posts

Uber Geek

Lifetime subscriber

#1279675 9-Apr-2015 14:36

Hmm. I wonder if they are subject to pci-dss requirements.

I'm curious what platform & browser you are using.

mattwnz

20155 posts

Uber Geek

#1279713 9-Apr-2015 15:13

Jeeves: Thanks, I'll move the domain asap and dispute the charge.

For those assuming that I don't know the facts etc:

They sent my email in plain text. I am aware that they can encrypt it after sending the email, so I did a password reset to double check and lo and behold, they sent my password and username AGAIN in plain text. Ergo, my password is not encrypted on their DB.

The credit card page is encrypted I should add - with TLS 1.0, MD5 and RC4 128. All of these are considered completely insecure these days, so as far as I am concerned, the CC page is not encrypted.

Edit: Boo. I have to wait 5 days before transferring the domain.

I am just wondering why you are wanting to dispute the charge? You got the domain which is the product you paid for, and the domain is a commodity, so that is all your money got you. eg. The right to use that domain name for the period you paid for. Just transfer it if you are not happy with the service or their control panels for managing it . Alternatively if you have an issue with the registrar, you should contact the Domain Name Commissioner, and they can look into any possible security issues, as the registrars have to meet their standards.

1 | 2