Google suggests sunsetting WHOIS domain ownership verification
Faking domain ownership is too easy, Google says
The reign of WHOIS to define domain registration may be coming to a close in the face of security issues, leading to a growing number of fraudulent Transport Layer Security (TLS) certificates and heightened concern from certificate authorities (CAs) and web browser developers.
After a report from watchTowr showed that criminals could mess with WHOIS records to nab certificates for domains belonging to others, Google has officially suggested winding down the reliance on WHOIS data.
Google, Apple, and Microsoft are all part of the CA/Browser Forum that determines standards, and the group is laying out how to end their WHOIS dependency. Under Google’s proposal, CAs would no longer turn to WHOIS data domain ownership confirmation beginning in November 2024.
WhoIs Secure?
This is more than just a small technical decision. TLS certificates have defined a large portion of internet security for a long time by encrypting data sent between websites and users to make sure the information goes where it should. They put the “S” for secure in the “HTTPS” protocol. WHOIS data has been key for verifying the ownership and rightful endpoint of that data for a long time, serving as a public directory to both identify and reach a website’s owners.
But, the report from watchTowr showed a big gap in the security of WHoIS. The researchers were able to fake a WHOIS server and fill it with false records for domains ending in “.mobi” because the original .mobi domains server expired. The imposter WHOIS server successfully scored verification for links despite not owning the domains. Were they malicious actors, they could employ that method to scrape and steal data from users and websites, not to mention scamming or otherwise tricking people into downloading malware or clicking on dangerous links.
To counter this flawed security, Google charted a shift to other methods of verifying ownership. A popular option on the forum is called Registration Data Access Protocol (RDAP). This is more secure than WHOIS and simpler to implement in some ways, with a consistent verification system of domain ownership records. It also works well with privacy laws implemented after WHOIS rolled out. RDAP would be easier for companies operating under Europe's General Data Protection Regulation (GDPR).
On the other hand, short-term costs would be significant, upsetting smaller businesses in particular. With the vulnerabilities so clearly exposed, however, there's not much clamor to keep things as they are.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
So, there is broad agreement on doing away with WHOIS; the details are still up in the air. The timeline is still under discussion as well. The idea that it can all be done in a little over a month has prompted some skepticism on the forum. If a company has automated email verification using WHOIS, it may take a while to replace it with another approach. Some have suggested pushing back the deadline to April 2025.
Via Ars Technica
You Might Also Like
Eric Hal Schwartz is a freelance writer for TechRadar with more than 15 years of experience covering the intersection of the world and technology. For the last five years, he served as head writer for Voicebot.ai and was on the leading edge of reporting on generative AI and large language models. He's since become an expert on the products of generative AI models, such as OpenAI’s ChatGPT, Anthropic’s Claude, Google Gemini, and every other synthetic media tool. His experience runs the gamut of media, including print, digital, broadcast, and live events. Now, he's continuing to tell the stories people want and need to hear about the rapidly evolving AI space and its impact on their lives. Eric is based in New York City.