Google suggests sunsetting WHOIS domain ownership verification

Malicious domains
(Image credit: Shutterstock / Sashkin)

The reign of WHOIS to define domain registration may be coming to a close in the face of security issues, leading to a growing number of fraudulent Transport Layer Security (TLS) certificates and heightened concern from certificate authorities (CAs) and web browser developers.

After a report from watchTowr showed that criminals could mess with WHOIS records to nab certificates for domains belonging to others, Google has officially suggested winding down the reliance on WHOIS data.

Google, Apple, and Microsoft are all part of the CA/Browser Forum that determines standards, and the group is laying out how to end their WHOIS dependency. Under Google’s proposal, CAs would no longer turn to WHOIS data domain ownership confirmation beginning in November 2024.

WhoIs Secure?

This is more than just a small technical decision. TLS certificates have defined a large portion of internet security for a long time by encrypting data sent between websites and users to make sure the information goes where it should. They put the “S” for secure in the “HTTPS” protocol. WHOIS data has been key for verifying the ownership and rightful endpoint of that data for a long time, serving as a public directory to both identify and reach a website’s owners. 

But, the report from watchTowr showed a big gap in the security of WHoIS. The researchers were able to fake a WHOIS server and fill it with false records for domains ending in “.mobi” because the original .mobi domains server expired. The imposter WHOIS server successfully scored verification for links despite not owning the domains. Were they malicious actors, they could employ that method to scrape and steal data from users and websites, not to mention scamming or otherwise tricking people into downloading malware or clicking on dangerous links. 

To counter this flawed security, Google charted a shift to other methods of verifying ownership. A popular option on the forum is called Registration Data Access Protocol (RDAP). This is more secure than WHOIS and simpler to implement in some ways, with a consistent verification system of domain ownership records. It also works well with privacy laws implemented after WHOIS rolled out. RDAP would be easier for companies operating under Europe's General Data Protection Regulation (GDPR). 

On the other hand, short-term costs would be significant, upsetting smaller businesses in particular. With the vulnerabilities so clearly exposed, however, there's not much clamor to keep things as they are.

So, there is broad agreement on doing away with WHOIS; the details are still up in the air. The timeline is still under discussion as well. The idea that it can all be done in a little over a month has prompted some skepticism on the forum. If a company has automated email verification using WHOIS, it may take a while to replace it with another approach. Some have suggested pushing back the deadline to April 2025. 

Via Ars Technica

You Might Also Like

TOPICS
Eric Hal Schwartz
Contributor

Eric Hal Schwartz is a freelance writer for TechRadar with more than 15 years of experience covering the intersection of the world and technology. For the last five years, he served as head writer for Voicebot.ai and was on the leading edge of reporting on generative AI and large language models. He's since become an expert on the products of generative AI models, such as OpenAI’s ChatGPT, Anthropic’s Claude, Google Gemini, and every other synthetic media tool. His experience runs the gamut of media, including print, digital, broadcast, and live events. Now, he's continuing to tell the stories people want and need to hear about the rapidly evolving AI space and its impact on their lives. Eric is based in New York City.

Read more
A close-up of an interent search bar with 'http://ww' visible
Let’s Encrypt halts expiration alerts - but it's for a good reason
Shadowed hands on a digital background reaching for a login prompt.
A flaw in Google OAuth system is exposing millions of users via abandoned accounts
Homepage of CloudFlare website on the display of PC, url - CloudFlare.com.
"Network blocking is never going to be the solution" – Cloudflare slams anti-piracy tactics
Criminals are abusing top-level government domains across multiple countries
Security
Experts warn millions of email servers could be vulnerable to attack
Domain names
What is a domain name?
Latest in Website Hosting
cybersecurity
A helpful guide to the type of web hosting should you use
A cloud symbol imposed over a bank of servers in a data center.
What is cloud hosting and who needs it?
Minecraft game server hosting for streamers heading - The Minecraft logo above a Minecraft landscape.
I tried 15 hosts for streaming and hosting Minecraft games and these are the best
Dark web scanning on a laptop
Hostinger integrates dark web scanning into hPanel
WordPress
WordPress Foundation bid for greater trademark control halted, adding to more legal setbacks for CEO Matt Mullenweg
The PebbleHost website.
PebbleHost review
Latest in News
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently revealing the full cast for Avengers: Doomsday, and I think it's going to be a long-winded announcement