Post AxL0sMiSmBbmy3AhUm by pmevzek@framapiaf.org
(DIR) More posts by pmevzek@framapiaf.org
(DIR) Post #AxKvRI5vLrYT2oPq3U by pypi@fosstodon.org
2025-08-18T17:32:48Z
0 likes, 0 repeats
PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over #PyPI accounts through password resets. #Python #OpenSource #SupplyChain #Securityhttps://blog.pypi.org/posts/2025-08-18-preventing-domain-resurrections/
(DIR) Post #AxKvRJ7jWcb2EiGnVw by bortzmeyer@mastodon.gougere.fr
2025-08-19T18:54:29Z
0 likes, 0 repeats
@pypi Very good idea. But why using Domainr API instead of directly #RDAP to the registry?
(DIR) Post #AxKvbGQAQcx6kYdjPM by bortzmeyer@mastodon.gougere.fr
2025-08-19T18:56:17Z
0 likes, 0 repeats
@pypi And what is a "custom domain name"? Why a special privilege for gmail.com?
(DIR) Post #AxKwQYxnFRLn1ipUJc by pmevzek@framapiaf.org
2025-08-19T19:05:33Z
0 likes, 0 repeats
@bortzmeyer @pypi Because not all #TLD registries joined the #RDAP fiesta 🙂 ? And in theory even a change of registrant, or maybe even DNS provider (or MX records) should trigger a "emails on this domain are not verified anymore" situation. As it should trigger certificates revocation too, which won't happen (hence shorter lifetimes as a solution).
(DIR) Post #AxL0ZyqAo4PLhq0lF2 by bortzmeyer@mastodon.gougere.fr
2025-08-19T19:52:06Z
0 likes, 0 repeats
@pmevzek @pypi But the article talks only about ICANN TLDs, which all have RDAP.
(DIR) Post #AxL0sMiSmBbmy3AhUm by pmevzek@framapiaf.org
2025-08-19T19:55:25Z
0 likes, 0 repeats
@bortzmeyer @pypi So either they forbid people using email addresses in ccTLDs (bad and probably not the case), or they consider that population to be more well-behaved regarding domain zombies (as they resurrect…) 🙂