Hello to all,

I have my account to ev1domains and on that account I have more domains from my customer. Most of tham are registred to his name, Owner and Admin...

Today one my customer was try to login with his domain name but thay do not know user/pass of my master account for all domains. Wher hi got error page, hi got link to receive lost password to admin mail. After thay click on link, hi was receive my master user/pass and now hi can login and control all domain names on my account.

I was change pass, but hi was again got new one... and only what thing that I'm able to do is to change all Admin contact for all domains to my (email) and now hi is unable to get my new user/pass for my account.

And now if someone want to transfer his domain name, email will be sent to me but it is not good...

I was contact ev1domain about that and here is answer:

Dear Cusotmer,

Nothing now. Either you go into your account and change your UID/PW or you dont. He can leagally take control of the domains as he is the admin contact. There is nothing we can do. I would suggest changing your login information asap.

We appologize for any inconvenience you have experienced.

Nate,
Domain Services
Domains@ev1servers.net

So it's any domain's admin contact email (and only any admin contact email), that can retrieve the domain account password?

I suppose that means I'll either:
1.) have to move all domains with different admin contact emails to separate accounts ASAP, or
2.) set all the admin contacts to my own, leaving the registratant as my customer.

Thanks very much for bringing this quite sizeable issue to our attention.

Yes, you can mode all domains to different account but than you will have a lot of user/pass and if your customer change it, you will no be able to login and renew domain...

Better way is to setup Admin email to you for all domains on you account, or to Ev1 do something...

Is this security issue still present if you register domains for customers (with their email and contact information entered for their domain) through the resellone RWI? Or does resellone solve this?

In ResellOne.net your customers should be setup to have seperate accounts, since you are still able to manage those domains under one interface, the RWI. Since the EV1Servers retail domains were end user accounts, we discouraged any customer who contacted us about using the EV1Servers domains as reseller accounts since they were not designed to act as one. Giving someone admin access to your domain account will give them access to any domain in that account for any registrar, unless you have a reseller account (which until the creation of ResellOne we did not offer).

I wanted to make sure and get something clarified, because I've heard several people from EV1 say that we have the ability to manage our customers' domains through the RWI. Having used OpenSRS for years, I can attest that there is no such flexibility... sure, if I know my customer's username and password, I can log into the manage interface (not the RWI) as them and make any changes I want - but as far as I am aware, there is no way through the RWI to make significant changes to a domain's settings. Sure, you can lock/unlock, and there are things like bulk changes which allow you to update the billing/tech contacts and nameservers on a domain, but you CANNOT update the admin or registrant contact or the username/password for a domain. To accomplish those tasks, you MUST log in to the manage interface which requires the user's username and password - which, by the way, your only option to retrieve is by having it e-mailed to the end user.

Long story short - ResellOne works just as OpenSRS does, except that instead of Tucows being the accredited registrar, it's EV1. If you have any familliarity with how OpenSRS works, it's the same situation here - just insert EV1 in the place of Tucows.

I am not sure when the last time you used the RWI, but under its secure connection you can pull up the domain's username and password very easily. Once you Search Domain to pull up the domain name, there is a button at the top to display the username and password.

Back when I was in charge of all of EV1's internal domains I never found anything easier to use than the RWI.

Dear Aaron, there is no links to SHOW the password. There is a links to send password to Admin or Owner contacts. Could you clarify?

It's the 2nd box at the top of the View Domain screen.

View Registrant Username and Password

the actual link says "get username and password"

The links you are thinking of are under Domain Management and that is not the link I am referring to.

What Aaron is referring to is, once you have brought up a specific domain in the RWI, you have to option to view the u/n and p/w. Ev1servers domains are not set up as reseller accounts, so it is not advisable to add anything but yourself as the owner/admin contact for any domain in your account. The only place that the u/n and p/w can be sent is to the onwer or admin contact.

Don't see any link in the RWI saying "get username and password" neither. Only "Email Login Password to the Admin Contact" and owner contact. And I cannot find anywhere inside the RWI where I can update the whois information for the domain(s). As far as I've seen it's only duable in the end customers interface called "Domain Managment Interface". That one gives me an error today saying "Unable to establish socket"...

I have confirmed that this option is not available at this time, and taken the necessary steps to pursue a resolution. We will let you know as soon as this issue is resolved.

Sounds good Looking forward for things to fall in place. Any news on the broken renewal link in the renewal confirmation emails?

Can you send a copy of the renewal confirmation email to domainmanager@resellone.net.

Looking forward to it. It's not that big of a problem for me, because my clients don't worry about their domains (that's what they pay me for, so I'm the only one that has to worry about usernames and passwords)... but I can see how others, particularly if they intend to retail domains, could have a problem.

This (I think) is the first real case I've seen where EV1 is wanting to do something that is drastically different than the model used by OpenSRS. It'll be interesting to see if it can be resolved - and it will be a test of the true flexibility of the OpenHRS system.

Well I had to enter a new domain to transfer to check if the link was corrected. It seems it has been, so that's good.
However when I click on the link I get the following server response:



One step forward, and two back? Or perhaps I'm doing something wrong? The link in the email is:
https://resellers.resellone.net/transfers/?rid=XXXX

NOTE: If I take away the resellerID (rid=XXXX) the link works, so not such a biggy, but try telling that to the customers... Probably a minor problem. Thanks for following up this Laurie. I will send this in a mail to domainmanager@resellone.net as well.

Well of course it seems it was only ev1 working on this at the exact moment I tried transfering. Today it's all working fine - *and* now it's showing my logo in the online transfer dialogue as long as the customers use the rid=XXXX part of the URL nice! Getting better and better - keep up the good work guys!
*I'm looking so much forward to when the API is released*

Regarding access to your EU login information, we have an ammendment to the contract, for enabling this feature, that will be published as soon as it has been completely reviewed. I expect very soon. As the reseller, as soon as have you sent in this contract we can enable this feature, and you will have this access.

Has the amendment been oficially posted? I see it linked here:
http://www.resellone.net/products/Contract.aspx

Not to hijack the thread, but I also noticed the rate tiers on the site have been adjusted to allow for credit card payments...

Yes, they have. More news on that later...