Ask HN: GANDI registrar refuses to fix security hole. What to do?

2 points by forcer ↗ HN
We are a long-time Gandi customer and have hundreds of domains registered with them. After their last hack when one of our domains was serving malware we started reviewing security of our domains (see last hack here: https://domainnamewire.com/2017/07/15/bad-guys-get-gandi-nets-password-technical-provider-redirect-domains/)

What we discovered was very troubling. We managed to transfer domain out of our Gandi account without any authorization from our side. To make matter worse, that domain was protected using Domain-lock feature.

We of course reported that to Gandi. That was 2 months ago. Since then we communicated with Gandi legal department many times and they say they are looking into this but they say we are wrong.

2 weeks ago our patience run out, we have migrated all domains that can be affected by this hack (again verifying that hack is still not fixed) and contemplating what to do next.

We could leave it of course and just wait if Gandi come to their senses, or wait until something bad happens.

What do you think is the best way to deal with this? I am hoping that if that post gets noticed more they will be forced to prioritize this fix.

1 comment

[ 3.3 ms ] story [ 11.4 ms ] thread
Nothing.

ICANN does not care. I started and ran an ICANN registrar for multiple years, not a reseller, and I can tell you with 100% certainty that ICANN does not care.

As long as you pass Verisign's integration tests, and you pay ICANNs exorbitant monthly and quarterly fees, you can do as you please and ICANN will do nothing.

ICANN is so inept, they continued to bill my company for those fees 2 years after I properly closed the registrar, finally recanting and crediting the closed account to bring it to zero when we threatened legal action and public scrutiny.

Don't waste another breath on this because it will get you nowhere.