Getty Images
Certificate authorities and browser makers plan to stop using WHOIS data to verify domain ownership, following a report that shows how attackers can abuse WHOIS data to obtain fraudulently issued TLS certificates.
TLS certificates are the cryptographic credentials that support HTTPS connections, a critical component of online communications that authenticates that a server belongs to a trusted entity and encrypts all traffic passing between the server and an end user. These credentials are issued by one of hundreds of CAs (certification authorities) to domain owners. The rules for how certificates are issued and the process for verifying the rightful owner of a domain are left up to the CA/Browser Forum. One “basic requirement rule” allows CAs to send an email to an address listed in the WHOIS record for the domain being applied for. When the recipient clicks on an included link, the certificate is automatically approved.
Non-trivial dependencies
Researchers from security firm watchTowr recently demonstrated how threat actors were able to abuse the rule to obtain fraudulently issued certificates for domains they did not own. The security failure was due to a lack of uniform rules for determining the validity of sites claiming to provide official WHOIS records.
More specifically, watchTowr researchers were able to obtain a verification link for any domain ending in .mobi, including domains they did not own. The researchers accomplished this by implementing a fake WHOIS server and populating it with fake records. The creation of the fake server was possible because dotmobiregistry.net, the previous domain that hosted the WHOIS server for .mobi domains, was allowed to expire after the server was moved to a new domain. watchTowr researchers registered the domain, set up the fake WHOIS server, and found that CAs continued to rely on it to verify ownership of .mobi domains.
The investigation did not go unnoticed by the CA/Browser Forum (CAB Forum). On Monday, a member representing Google suggested that Google stop relying on WHOIS data for domain ownership verification “in light of recent events where research from watchTowr Labs showed how malicious actors were able to abuse WHOIS to obtain fraudulently issued TLS certificates.”
The formal proposal calls for reliance on WHOIS data to “sunset” in early November. It specifically states that “CAs may NOT rely on WHOIS to identify domain contacts” and that “effective November 1, 2024, validations using this [email verification] method MUST NOT rely on WHOIS to identify domain contact information.”
Since Monday’s submission, more than 50 follow-up comments have been posted. Many of the comments have expressed support for the proposed change. Others have questioned the need for a proposed change, given that the security flaw discovered by watchTowr is known to affect only a single top-level domain.
An Amazon representative, meanwhile, noted that the company previously made a unilateral change in which AWS Certificate Manager will completely move away from its reliance on WHOIS records. The representative told CAB Forum members that Google's proposed Nov. 1 deadline may be too strict.
“We’ve heard feedback from customers that for some, this is a non-trivial dependency to remove,” the Amazon representative wrote. “It’s not uncommon for businesses to have automation built on top of email validation. Based on the information we’ve received, I recommend a date of April 30, 2025.”
CA Digicert supported Amazon's proposal to extend the deadline. Digicert then proposed that CAs use the WHOIS successor known as the Registration Data Access Protocol instead of WHOIS records.
The proposed amendments are formally in the discussion phase of deliberations. It is unclear when the formal vote on the amendment will begin.
