What's the big deal with the domain name?

Official communications to and from the Canadian Homebrewers Forum management.
Post Reply
User avatar
Posts: 701
Joined: |11 Feb 2011|, 05:11
Favourite Beer: Cold
Location: Hamilton, ON

What's the big deal with the domain name?

Post by XXXXX »

"It's just a brewing forum, not a banking website; What's the big deal if the domain name was in jeopardy for a couple days?"

To be sure, there's no real sensitive content on this website.

We talk about home brewing--not exactly "secret sauce" material.

The risk was that once the control of the domain name was lost, a very easy phishing attempt to steal your usernames and could have easily been made.

How would this work?
- A malicious person gains control of the domain name and sets up a look-alike website at the proper web address (the domain canadianhomebrewers.com)
- A user (you?) browse to the CHB site to check the forum.
- You enter your username and password to log in, but you keep getting "incorrect username or password" errors. (The attacker now has your username, and password--double/triple checked for spelling)
- Assuming you've lost your mind, you click the "reset password link" and enter your email address. (The attacker now has your username, password, and email address)
- After a couple tries, the user fills out a "reset your password" form, and enters his email address (Now the attacker has your email address, password, and username)

Think about your current accounts. Do you re-use any passwords?

It's VERY BAD JUJU (See: https://www.cisecurity.org/reusing-pass ... ple-sites/ ) to use the same password across multiple websites, accounts, emails etc.

However, many people still do it.

With your email address (which sometimes gives a very good guess at your real name), username, and password, a would-be attacker has a great start on gaining access to your other accounts.

Consider someone who uses the same password for his e-mail address. In that situation the attacker can log into your email, and reset your passwords at other websites (and, say, drain your PayPal account).

Suddenly, we have a real issue.

In the case of CHB, there was never a compromise. But the risk was there. This is a good opportunity to reassess your password and security practices. There's lots to learn on Google :)
Mmmm... Beer... *drool*

Post Reply