🚨 Hard Truth Warning 🚨
As I dive into the world of domaining, the security is laughable.
I've worked in high compliance industries for years, like health tech, so I know a thing or 2 about security.
The problem?
Aftermarkets and portfolio managers wanting API keys and (worse) passwords.
All in the name of convenience: "Sync your data!"
Don't do it. Here's why:
1. If you hand over your password, you are playing with fire in a pool of gasoline. Someone could log in, change the password, and lock you out forever. Goodbye domains.
2. None of the registrar API keys are scoped. Meaning they have wide open permissions to do almost anything in your account.
There's obvious unlock + transfer away, but you'll probably get emailed an auth code and know something is wrong. Usually (no promises) you can't change emails via API.
But a savvy hacker could change your nameservers for phishing.
Say you own loans .com, easily a 7+ figure name. I could switch ns to my site and trick people into thinking it's for sale at $10k. Accepting only crypto, naturally.
Congrats! Your premium domain is now cursed if Google finds out.
My advice, do not trust any web app with your keys and passwords.
Never ever.
There is no such thing as 100% secure site.
So don't let your precious secrets leave your laptop!
Built with Insider.email