[jontro]

We were also affected by this on a major e-commerce site. It was a .se domain. Their post mortem isn't really convincing ( https://news.gandi.net/en/2017/07/report-on-july-7-2017-inci... ) since they do not state what really happened and how it can be prevented again.

I issued a support ticket to aws today to see what measures can be taken, otherwise we might need to change registrar.

[vbernat]

There is a more detailed followup today: https://news.gandi.net/en/2017/07/detailed-incident-report/

[vertex-four]

> These credentials were likewise not obtained by a breach of our systems and we strongly suspect they were obtained from an insecure connection to our technical partner’s web portal (the web platform in question allows access via http).

This makes no sense - how did the attacker get between gandi.net and their technical partner in order to MITM them? MITMs aren't magic - simply sending an unencrypted password somewhere doesn't result in it becoming public knowledge unless a router or switch in the path is malicious.

[musicnarcoman]

> This makes no sense - how did the attacker get between gandi.net and their technical partner in order to MITM them?

On the top of my head, bgp hijacking perhaps?

> MITMs aren't magic

No. But do not trust the network. Ever.

[vertex-four]

If it's BGP hijacking, there'll be evidence somewhere.

And no, don't trust the network, but "the network isn't trustworthy" is not a diagnosis, only a potential risk factor. "X entity used BGP hijacking to situate their router between me and Y" is a diagnosis.

[sirn]

I doubt changing the registra would change anything, as this seems more likely a problem on the TLD backend side than a problem on the registra itself, since it affect not only Gandi but also Route 53 Domain Registration. I'm under a serious consideration to switch from .ch to something else.

[jontro]

Route53 domain registration uses gandi as a partner.