This is just my opinion. Feel free to debate.
_____________________________________
TL;DR;
Whois.com do not use encryption (SSL) on any pages not even login/registration.
Their interface is terrible.
They impose password restrictions which reduce security, and potentially store them in plain text.
_____________________________________
I had to sign up to receive a name bought in a NP auction, however clicking "create new account" I realised there was no encryption (SSL). This means anything I type, including my username and PASSWORD is sent around the Whois.com servers and the entire internet in plain text!
It's not particularly trivial to obtain this data, and then simply log in as me (or you if your details were captured)!
The entire site is not encrypted, list of all domain names, login page, order pages, etc.
I know people grumble about Namecheap (interface issues, limited bulk options) and Godaddy (clunky 10 year old interface etc), but at least they have entire site encryption, and two factor login.
Adding to that is the insecure password criteria:
During the registration process I kept getting the message:
So the error message was wrong as when I reduced my password to 15 chars (and of course grossly reducing the security of it) I could register fine.
There is no reason for this at all, and the restriction is an insecure approach, and makes me suspect the passwords are stored in plain text (ie varchar), and although this is speculative, hashing methods are always the same length based on the hashing config - regardless of the length of the raw/user entered plain text password.
The site has other issues like a missing space in some text, many of the functions open a new window (wut?), and is badly worded.
Such as
Ironically, they sell SSL certs to their customers 0_o
The interface is terrible too. It took me ages to find just find a list of my domains registered with them. In the end I clicked "List of Orders" from clicking everything and there are my domains. Orders? They are not orders, they are domain names, or products I already have. Weird.
I thought nothing of signing up originally as I see numerous NP members using them, but I cannot believe people use them when they have no security.
I've given out the info, feel free to take it as you want. The main issue is no encryption, for a login/registration page and other sensitive data.
I would not be surprised at all if at some point someone steals a domain name or everyone's logins (if stored in plain text).
_____________________________________
TL;DR;
Whois.com do not use encryption (SSL) on any pages not even login/registration.
Their interface is terrible.
They impose password restrictions which reduce security, and potentially store them in plain text.
_____________________________________
I had to sign up to receive a name bought in a NP auction, however clicking "create new account" I realised there was no encryption (SSL). This means anything I type, including my username and PASSWORD is sent around the Whois.com servers and the entire internet in plain text!
It's not particularly trivial to obtain this data, and then simply log in as me (or you if your details were captured)!
The entire site is not encrypted, list of all domain names, login page, order pages, etc.
I know people grumble about Namecheap (interface issues, limited bulk options) and Godaddy (clunky 10 year old interface etc), but at least they have entire site encryption, and two factor login.
Adding to that is the insecure password criteria:
During the registration process I kept getting the message:
After trying various things, I went to their knowledge base to see if I could find the password criteria, and sure enough:Whois.com registration page said:The password should contain alpha numeric characters.
Whois.com knowledge base said:
- Allowed Password length is 8 to 15 characters.
- Use a combination of capital and lowercase letters, with punctuation marks, special characters and numbers.
- Change the Password on a regular basis.
- Avoid Password that contains personal information (name, birth place, etc.) or dictionary words.
- Avoid using repeating characters (aaaaaa), keyboard patterns (asdfgh) or sequential numbers (123456).
- Do not disclose your Password to anyone.
- While setting a new Password, you may not re-use the current Password or the previous Password.
So the error message was wrong as when I reduced my password to 15 chars (and of course grossly reducing the security of it) I could register fine.
There is no reason for this at all, and the restriction is an insecure approach, and makes me suspect the passwords are stored in plain text (ie varchar), and although this is speculative, hashing methods are always the same length based on the hashing config - regardless of the length of the raw/user entered plain text password.
The site has other issues like a missing space in some text, many of the functions open a new window (wut?), and is badly worded.
Such as
So does that mean I can transfer 999 max? Or what? Is there no limit in your scripts which you can pass on so I know? This is like the ill-informed password requirements.Whois.com bulk transfer page (new window) said:Transfer upto Thousand's of domain names".
Ironically, they sell SSL certs to their customers 0_o
The interface is terrible too. It took me ages to find just find a list of my domains registered with them. In the end I clicked "List of Orders" from clicking everything and there are my domains. Orders? They are not orders, they are domain names, or products I already have. Weird.
I thought nothing of signing up originally as I see numerous NP members using them, but I cannot believe people use them when they have no security.
I've given out the info, feel free to take it as you want. The main issue is no encryption, for a login/registration page and other sensitive data.
I would not be surprised at all if at some point someone steals a domain name or everyone's logins (if stored in plain text).
