WHOIS data is unreliable. So why is it used in TLS certificate applications?:
Certificate authorities and browser makers are planning to end the use of WHOIS data verifying domain ownership following a report that demonstrated how threat actors could abuse the process to obtain fraudulently issued TLS certificates.
TLS certificates are the cryptographic credentials that underpin HTTPS connections, a critical component of online communications verifying that a server belongs to a trusted entity and encrypts all traffic passing between it and an end user. These credentials are issued by any one of hundreds of CAs (certificate authorities) to domain owners. The rules for how certificates are issued and the process for verifying the rightful owner of a domain are left to the CA/Browser Forum. One "base requirement rule" allows CAs to send an email to an address listed in the WHOIS record for the domain being applied for. When the receiver clicks an enclosed link, the certificate is automatically approved.
Researchers from security firm watchTowr recently demonstrated how threat actors could abuse the rule to obtain fraudulently issued certificates for domains they didn't own. The security failure resulted from a lack of uniform rules for determining the validity of sites claiming to provide official WHOIS records.
[...] The research didn't escape the notice of the CA/Browser Forum (CAB Forum). On Monday, a member representing Google proposed ending the reliance on WHOIS data for domain ownership verification "in light of recent events where research from watchTowr Labs demonstrated how threat actors could exploit WHOIS to obtain fraudulently issued TLS certificates."
The formal proposal calls for reliance on WHOIS data to "sunset" in early November. It establishes specifically that "CAs MUST NOT rely on WHOIS to identify Domain Contacts" and that "Effective November 1, 2024, validations using this [email verification] method MUST NOT rely on WHOIS to identify Domain Contact information."
Since Monday's submission, more than 50 follow-up comments have been posted. Many of the responses expressed support for the proposed change. Others have questioned the need for a change as proposed, given that the security failure watchTowr uncovered is known to affect only a single top-level domain.
[...] The proposed changes are formally in the discussion phase of deliberations. It's unclear when formal voting on the change will begin.
Previously: Rogue WHOIS Server Gives Researcher Superpowers No One Should Ever Have
« Do Complex Election Forecasting Models Actually Generate Better Forecasts? | PC Floppy Copy Protection: Electronic Arts Interlock »
Related Stories
It's not every day that a security researcher acquires the ability to generate counterfeit HTTPS certificates, track email activity, and execute code of his choice on thousands of servers—all in a single blow that cost only $20 and a few minutes to land. But that's exactly what happened recently to Benjamin Harris.
Harris, the CEO and founder of security firm watchTowr, did all of this by registering the domain dotmobilregistry.net. The domain was once the official home of the authoritative WHOIS server for .mobi
[...]
Harris noticed that the previous dotmobiregistry.net owners had allowed the domain to expire. He then scooped it up and set up his own .mobi WHOIS server there.To Harris's surprise, his server received queries from slightly more than 76,000 unique IP addresses within a few hours of setting it up. Over five days, it received roughly 2.5 million queries from about 135,000 unique systems. The entities behind the systems querying his deprecated domain included a who's who of Internet heavyweights comprising domain registrars, providers of online security tools, governments from the US and around the world, universities, and certificate authorities, the entities that issue browser-trusted TLS certificates that make HTTPS work.
"watchTowr's research has demonstrated that trust placed in this process by governments and authorities worldwide should be considered misplaced at this stage, in [our] opinion," Harris wrote in a post documenting his research.
[...]
WHOIS has played a key role in Internet governance since its earliest days, back when it was still called the ARPANET. Elizabeth Feinler, an information scientist working for the Augmentation Research Center, became the principal investigator for NIC, short for the Network Information Center project, in 1974. Under Feinler's watch, NIC developed the top-level domain naming system and the official host table and published the ARPANET Directory, which acted as a directory of phone numbers and email addresses of all network users. Eventually, the directory evolved into the WHOIS system, a query-based server that provided a comprehensive list of all Internet host names and the entities that had registered them.Despite its antiquated look and feel, WHOIS today remains an essential resource with tremendous consequences.
[...]
Harris populated his WHOIS database with junk data that corresponded to all real .mobi addresses. Administrative email addresses, and most other fields led to the watchtowr.com domain. For humor, he also added ASCII art.
[...]
The humor aside, the rogue WHOIS server gave him powers he never should have had. One of the greatest was the ability to dictate the email address certificate authority GlobalSign used to determine if a party applying for a TLS certificate was the rightful owner of the domain name the certificate would apply to. Like the vast majority of its competitors, GlobalSign uses an automated process. An application for example.com, for instance, will prompt the certificate authority to send an email to the administrative email address listed in the authoritative WHOIS for that domain. If the party on the other end clicks a link, the certificate is automatically approved.When Harris generated a certificate signing request for microsoft.mobi, he promptly received an email from GlobalSign. The email gave him the option of receiving a verification link at whois@watchtowr.com. For ethical reasons, he stopped the experiment at this point.
[...]
"The purchase of a $20 domain that allowed the passive inference of .gov/.mil communications and the subversion of the Certificate Authority verification system should be a clear demonstration that the integrity of the trust and security processes we as Internet users rely on is, and continues to be, extremely fragile," Harris wrote in an online interview. "The systems and security we all take for granted is, in many places, truly held together in ways that would not pass approval in 2024."
(Score: 4, Insightful) by DrkShadow on Thursday September 26, @04:45AM (6 children)
Sure would be a _shame_ if one browser of them all suddenly started breaking on every fourth or fifth site on the internet. . . .
Talk about a forceful hand. There was one incident of a whois server changing, *ever*, and a security researcher picked it up. Now the ever-unaccepting, do-as-I-say overlord of the Intarwebs bans this practice.
I don't see what can come next. This is for basic verification for stupid sites because now every site has to have SSL on it. Every dumb forum, every tech review site, every daily-news site, _everything_. (Who made that mandate, again?) What's the alternative? Calling every DNS provider and going, "Hey, who's the contact for this domain?" "Sorry, we don't reveal customer information." "Yeah yeah, but I'm the SSL vendor, so who owns this domain *really*?"
... the cost. The hassle. The "trust" that you must have for the "ssl vendor" who calls you. etc. It's almost making the problem much, much worse.
Oh, but that's right, the .com whois registry *also* had a lapse and was procured by a *nation-state* attacker, who *purchased* twenty-seven-hundred SSL certs from their not-state-controlled CA, just last week!!! *eye roll*
(Score: 5, Insightful) by ledow on Thursday September 26, @08:20AM (5 children)
The alternative is ACME, in use by LetsEncrypt and others, which has zero reliance on WHOIS data (and I don't even understand where WHOIS factors into TLS because I live in the UK and most of our WHOIS data is restricted... and often you don't use domain registrar for your SSL certificates at all).
You do that by verifying ownership of the domain technically - by adding files to a website, or DNS records to the domain, or in the case of ACME actually operating a server which can respond to an automated challenge-response protocol.
All my domains - personally, and on networks I manage - are with LetsEncrypt now. Because traditional SSL is expensive and a hassle come renewal time.
My domains now renew every 90 days (far more often than before), automatically, seamlessly and for free. On Windows and Linux servers, with Apache, nginx or IIS. And I don't need to do a thing. Millions of people and many large organisations are doing exactly the same. Most hosting outfits have now abandoned SSL certificate generation and just use LetsEncrypt for their customers unless they want to pay for a more premium service. They all basically give you verified SSL for free, in effect.
If I am LITERALLY OPERATING THE DOMAIN, I can get a temporary SSL cert for it (that can be revoked in instances of compromise). There's no issue there. If servers are compromised, someone can already do that until the owner's notice as the private key HAS to be accessible to those servers to serve SSL content.
So SSL is now free, more secure (quicker renewals and automatic regeneration), and it's required for a reason - without SSL any web page you visit can have any code an attacker likes inserted into any page without your or the site-owner's knowledge. ISPs were changing HTML etc. on the fly to include ads, and malware authors were doing it to insert compromises in transit. That's why you have it.
And it's now easier and has NEVER required WHOIS for verification - because that's an AWFUL idea. I don't think my address on all my domains has been up-to-date for 20+ years of owning them, for instance, but it doesn't matter because nothing uses them and police could trace the domains back to my credit card if it mattered. All my domains are on personal-data opt-out so no WHOIS data is visible to SSL providers anyway. Most WHOIS ownership information is worthless as it's full of nonsense, proxies and opt-outs. And yet I've had working and up-to-date TLS/SSL for decades. Because the verification uses things like DNS records and service provision on the domain's listed IPs, not WHOIS.
I haven't bought an SSL certificate in close to a decade now.
And all the above is not unique to any US registry whatsoever.
(Score: 1, Informative) by Anonymous Coward on Thursday September 26, @02:16PM (4 children)
...and what if someone else is literally operating the servers for a while?
There are plenty of ways to hijack traffic--compromising DNS in some manner, announcing BGP routes, etc...
There are occasionally ways to accidentally get access. Any time I need a temporary VPS for something, I'll spin up a box at Digital Ocean. Install a webserver and start watching logs. You'd be surprised how much traffic you get for various domains where the owners forgot to delete an old A record when killing a box and simply added a new one.
Granted, I don't think $MAJOR_NATIONAL_BANK is using Digital Ocean.
Anyways, it's time this whole trust model gets exposed for the scam that it is. Anyone can register any domain name and get a certificate for it. With the exception of some (most? all?) registrars that block specific keywords to help protect the "big guys".
For example, one of my competitors is SomeSmallCompany. They own SomeSmallCompany.com. They didn't own .net or .org. I grabbed them, got an LE cert for both domains and they redirect to my domain. No one checks or cares that I'm not SomeSmallCompany.com.
On the other hand, at one point I was pissed off enough at Microsoft that I set up a parody domain. I tried to register it at several registrars. Every single one blocked the registration because the word 'microsoft' was in it. (Think along the lines of microsoft-sucks.com). I finally had to file paperwork and documentation with NameCheap to show I wasn't a scammer and they let me purchase it.
We need to stop pretending that SSL/TLS is anything more than "you have a secure connection to the domain name you typed, let's hope DNS and routing got you there correctly and they are actually the company you think they are".
(Score: 3, Insightful) by darkfeline on Thursday September 26, @04:57PM (1 child)
If someone else is running your servers, then your certs are fucked regardless. At least ACME makes it easier to recover than traditional CAs.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Saturday September 28, @03:02PM
Wrong perspective. Stop looking at this as "I run servers". Look at it from the point of a certificate--to make sure *clients* are connecting securely.
If someone else is running the endpoint your grandmother is connecting to, you have no idea...just a valid cert.
That endpoint could be wrong because of DNS or BGP. It could be wrong because her $3 router/WAP thingy from China has a default password and/or compromised firmware.
(Score: 2) by ledow on Friday September 27, @07:51AM (1 child)
You know "Physical access is compromise"?
Yeah, access to the point that someone is controlling the servers hosting your web presence with permission enough to read your SSL private keys (necessary to "pose" as you or use a certificate re-issue, etc.)... it's already game over.
"We need to stop pretending that SSL/TLS is anything more than "you have a secure connection to the domain name you typed, let's hope DNS and routing got you there correctly and they are actually the company you think they are"."
We never did. And if the DNS was correct and secure enough to get you to a particular machine, and there is an SSL certificate using the same private key as before, issued by the same CA (because of CAA etc. DNS records, HSTS, certificate pinning, etc.)... and you have control of that endpoint machine - then that's all you can (and need) do to either host a website, or compromise one entirely.
Were you expecting anything else?
SSL means "I guarantee that traffic between you and this endpoint that you've supplied me is secure". That's *IT*. That's all it does. Everything else is on the server, web content (e.g. HSTS, etc.), DNS records and the security of the DNS lookup. It's never CLAIMED to be anything else (even if salesmen for some web companies try to push that).
As such SSL certificates shouldn't be complicated, shouldn't require a centralised WHOIS registration and lookup (hint: They already don't in most of the world), and keys, certificates, administration panels, renewal paths and methods need to be secure.
And WHOIS is NOT secure. But proving technical domain ownership directly with the server in question after checking secure DNS entries lookup to the right address, present the same certificate key, present the same list of authorised CA's, etc. - as any modern website does - and so on? That is secure. Which is why multi-billion dollar companies are using it.
(Score: 0) by Anonymous Coward on Monday September 30, @09:31PM
Cool. Now go ask your grandmother what tells her that her banking connection is secure...
She doesn't know *if* DNS is secure, or *if* traffic got routed using BGP to the correct servers...
(Score: 4, Touché) by kazzie on Thursday September 26, @11:57AM
WHOIS Google to make this decision? :P
(Score: 4, Insightful) by VLM on Thursday September 26, @12:57PM (1 child)
Note that Google is evil and huge, so coordination, if any, is impressive, but it is worth bringing up that Play Console, the thing you upload Android mobile apps to, has had a recent big push to re-authenticate yourself including a DUNS number if you're an organization, which is a situation I'm tangentially involved in.
I bring that up because possibly its a higher level policy of theirs to minimize the security surface by generally outsourcing authentication.
So maybe if this is coordinated, instead of using whois data as a point of contact to get a cert, the "new way" will be to use DUNS contact info as a POC to get a cert. Very hypothetically and in theory.
It would fit with the idea of pushing the internet toward being for "big companies only to broadcast advertising to consumers" which subjectively seems to be a Google core value in practice.
(Score: 0) by Anonymous Coward on Thursday September 26, @11:06PM
I'm sure Google is doing this for selfish reasons, it might be a good thing also, but still, fuck Google and their bullshit.