The reign of WHOIS to define domain registration may be coming to a close in the face of security issues, leading to a growing number of fraudulent Transport Layer Security (TLS) certificates and heightened concern from certificate authorities (CAs) and web browser developers.
After a report from watchTowr showed that criminals could mess with WHOIS records to nab certificates for domains belonging to others, Google has officially suggested winding down the reliance on WHOIS data.
Google, Apple, and Microsoft are all part of the CA/Browser Forum that determines standards, and the group is laying out how to end their WHOIS dependency. Under Google’s proposal, CAs would no longer turn to WHOIS data domain ownership confirmation beginning in November 2024.
WhoIs Secure?
This is more than just a small technical decision. TLS certificates have defined a large portion of internet security for a long time by encrypting data sent between websites and users to make sure the information goes where it should. They put the “S” for secure in the “HTTPS” protocol. WHOIS data has been key for verifying the ownership and rightful endpoint of that data for a long time, serving as a public directory to both identify and reach a website’s owners.
But, the report from watchTowr showed a big gap in the security of WHoIS. The researchers were able to fake a WHOIS server and fill it with false records for domains ending in “.mobi” because the original .mobi domains server expired. The imposter WHOIS server successfully scored verification for links despite not owning the domains. Were they malicious actors, they could employ that method to scrape and steal data from users and websites, not to mention scamming or otherwise tricking people into downloading malware or clicking on dangerous links.
To counter this flawed security, Google charted a shift to other methods of verifying ownership. A popular option on the forum is called Registration Data Access Protocol (RDAP). This is more secure than WHOIS and simpler to implement in some ways, with a consistent verification system of domain ownership records. It also works well with privacy laws implemented after WHOIS rolled out. RDAP would be easier for companies operating under Europe's General Data Protection Regulation (GDPR).
On the other hand, short-term costs would be significant, upsetting smaller businesses in particular. With the vulnerabilities so clearly exposed, however, there's not much clamor to keep things as they are.
So, there is broad agreement on doing away with WHOIS; the details are still up in the air. The timeline is still under discussion as well. The idea that it can all be done in a little over a month has prompted some skepticism on the forum. If a company has automated email verification using WHOIS, it may take a while to replace it with another approach. Some have suggested pushing back the deadline to April 2025.
Via Ars Technica
You Might Also Like
