cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Dangerous default re rDNS

Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: ‎07-02-2012

Dangerous default re rDNS

‎01-02-2013 6:40 PM

I have always known that any site I visit can see my IP address. But I was genuinely appalled a few minutes ago to discover that if they do a Reverse DNS check on that address, it reveals my account username.
As suggested by Oldjim in reply to this post I have raised a ticket to stop this.
Surely the default should be not to reveal this? There are only two things preventing a hack, the username and the password, and revealing the first severely compromises the customer's security.
Edit - typo.
Message 1 of 81
(17,723 Views)
Reply
0 Thanks
80 REPLIES 80
AndyH
Grafter
Posts: 6,824
Thanks: 1
Registered: ‎27-10-2012

Re: Dangerous default re rDNS

‎01-02-2013 7:58 PM

Same here...didn't realise that! But I think it's automated when I requested a static IP.
Message 2 of 81
(2,400 Views)
Reply
0 Thanks
Gus
Aspiring Pro
Posts: 3,240
Thanks: 34
Fixes: 3
Registered: ‎31-07-2007

Re: Dangerous default re rDNS

‎01-02-2013 8:12 PM

raise a ticket and request a rdns change, you can choose what you want within reason or just have it show your IP address
FTTP 500 regrade from Tues 28th November
Message 3 of 81
(2,400 Views)
Reply
0 Thanks
itsme
Grafter
Posts: 5,924
Thanks: 3
Registered: ‎07-04-2007

Re: Dangerous default re rDNS

‎01-02-2013 9:08 PM

Don't you give away your username if you use your PN email address?
Message 4 of 81
(2,400 Views)
Reply
0 Thanks
Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: ‎07-02-2012

Re: Dangerous default re rDNS

‎01-02-2013 9:30 PM

I don't even know my Plusnet email address  :P.
Message 5 of 81
(2,400 Views)
Reply
0 Thanks
Gus
Aspiring Pro
Posts: 3,240
Thanks: 34
Fixes: 3
Registered: ‎31-07-2007

Re: Dangerous default re rDNS

‎01-02-2013 9:46 PM

anything@username.plus.com
FTTP 500 regrade from Tues 28th November
Message 6 of 81
(2,400 Views)
Reply
0 Thanks
Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: ‎07-02-2012

Re: Dangerous default re rDNS

‎01-02-2013 11:07 PM

A good reason not to use it then.
Message 7 of 81
(2,400 Views)
Reply
0 Thanks
Oldjim
Resting Legend
Posts: 38,460
Thanks: 741
Fixes: 63
Registered: ‎15-06-2007

Re: Dangerous default re rDNS

‎02-02-2013 11:09 AM

Spotted at TBB - this is the relevant page for requesting a change https://www.plus.net/wizard/?p=wizard&page=22425&wizard_id=38
Message 8 of 81
(2,400 Views)
Reply
0 Thanks
Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: ‎07-02-2012

Re: Dangerous default re rDNS

‎02-02-2013 11:22 PM

Yes, I saw that as well Jim, and your post saying you had posted it here.
But none of this addresses the basic issue. The default should be to the IP address alone, not the account username. It is simply incomprehensible and very insecure for it to be as it is, without even a warning at request time through the Member Centre.
Message 9 of 81
(2,400 Views)
Reply
0 Thanks
adamwalker
Plusnet Help Team
Plusnet Help Team
Posts: 16,926
Thanks: 867
Fixes: 223
Registered: ‎27-04-2007

Re: Dangerous default re rDNS

‎04-02-2013 10:11 AM

I understand your concern, however nothing at all can be done with a username without its accompanying password. I'm not saying that as an excuse more to belay any belief that it could be seen as a security breach.
If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team
Message 10 of 81
(2,400 Views)
Reply
0 Thanks
Bright
Grafter
Posts: 363
Registered: ‎02-02-2013

Re: Dangerous default re rDNS

‎05-02-2013 9:39 AM

The security of my Plusnet account is protected by two text strings. One is called "username" and the other is called "password". Anyone who knows both can access my account.
With the current default for rDNS on fixed IPs, I potentially reveal my username to every site I visit on the internet. By definition, that therefore reduces the security of my account, although it doesn't breach it. My account is still protected by the complexity of the password I have chosen. Given what we now know about the poor password practices employed by MOST internet users (who are all human, after all), the revelation of the username is significant. It would be good security practice to eliminate this issue.
Message 11 of 81
(2,400 Views)
Reply
0 Thanks
orbrey
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 10,540
Registered: ‎18-07-2007

Re: Dangerous default re rDNS

‎05-02-2013 2:15 PM

See what you're saying, but this only happens with static IPs which wouldn't really be used by less IT literate people?
Just playing devil's advocate rather than trying to say the idea's without merit, we'll make sure it's passed on.
Message 12 of 81
(2,400 Views)
Reply
0 Thanks
Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: ‎07-02-2012

Re: Dangerous default re rDNS

‎05-02-2013 4:19 PM

Quote from: Matt
... but this only happens with static IPs which wouldn't really be used by less IT literate people?.
Even then, IT literate people are unlikely to have a 64-character alphanumeric plus special character password  ;). Several may also ask for a static IP address just so they can run the TBB BQM, (which is my only need for one), without really being particularly savvy.
How many password attempts are allowed before the system locks the account access please Matt?
Message 13 of 81
(2,400 Views)
Reply
0 Thanks
orbrey
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 10,540
Registered: ‎18-07-2007

Re: Dangerous default re rDNS

‎07-02-2013 9:59 AM

Sorry for the delay in response. I believe it's ten, and then all attempts are blocked and our networks security team are notified directly.
Message 14 of 81
(2,400 Views)
Reply
0 Thanks
gordonsuk
Grafter
Posts: 39
Registered: ‎20-01-2013

Re: Dangerous default re rDNS

‎07-02-2013 10:20 AM

Not wanting to hijack the thread, but I thought this was relevant.
Just had reply to a ticket asking for a change to rDNS, have been told that it does not resolve to the ip. However on checking via several sites they all show it resolves to the correct static ip. Come on Plusnet get it right!!!
Message 15 of 81
(2,400 Views)
Reply
0 Thanks