Google Supports Ending WHOIS in TLS Domain Validation Procedure
# The Conclusion of WHOIS-Dependent Domain Validation: A New Chapter for TLS Certificates
In a pivotal decision that may alter the terrain of online security, certificate authorities (CAs) and browser developers are set to abandon the use of WHOIS information for verifying domain ownership. This action follows findings that unveiled how malicious entities could take advantage of the WHOIS-based verification method to illegitimately acquire Transport Layer Security (TLS) certificates. The shift, anticipated to commence in late 2024, could have far-reaching effects for website proprietors, certificate authorities, and the larger internet environment.
## The Importance of TLS Certificates in Online Security
TLS certificates serve as the foundation for secure internet communications. They verify that a website is owned by a legitimate entity and encrypt all interactions between the server and the user. These certificates are vital for establishing HTTPS connections, which are essential for safeguarding sensitive data such as passwords, credit card information, and personal details.
CAs, as trusted intermediaries, are responsible for issuing TLS certificates and verifying the identities of domain owners. The verification process for domain ownership is critical to prevent malicious users from acquiring certificates for domains they do not control, potentially leading to man-in-the-middle attacks, phishing, and other security vulnerabilities.
## The WHOIS-Based Validation Method
Traditionally, one of the methods CAs have relied on to authenticate domain ownership has been WHOIS data. WHOIS is a public registry that holds details about the registered owner of a domain, including contact information like email addresses. According to current regulations, CAs can dispatch a verification email to the address found in the WHOIS record for a domain. If the recipient activates the verification link, the certificate is automatically validated.
However, this approach has long faced criticism regarding its security weaknesses. WHOIS data frequently suffers from being outdated, incorrect, or concealed behind privacy services, rendering it an unreliable information source. Furthermore, the absence of standardized rules for verifying WHOIS records has made it susceptible to exploitation, as evidenced by recent studies.
## The Security Vulnerability Uncovered by watchTowr
In a recent study, analysts from the security firm watchTowr highlighted how malicious actors could misuse the WHOIS-based verification process to gain fraudulent TLS certificates. The analysts successfully created a fraudulent WHOIS server and filled it with fictitious records for domains that end in `.mobi`, a top-level domain (TLD). Through this method, they could receive verification emails for domains they did not own, thus circumventing the security measures that were intended to avert such situations.
The flaw occurred because the official WHOIS server for `.mobi` domains had been moved to a new domain, while the former domain, `dotmobiregistry.net`, was allowed to lapse. The watchTowr team registered the expired domain, established a fake WHOIS server, and discovered that CAs continued to depend on it for domain authentication.
This revelation underscored a vital defect in the WHOIS-based verification method: the absence of a centralized, authoritative source for WHOIS data. Without standardized protocols for validating WHOIS records, CAs found themselves vulnerable to manipulation by malicious entities.
## The CA/Browser Forum’s Reaction
The discoveries made by watchTowr were not overlooked by the CA/Browser Forum (CAB Forum), the industry organization that establishes the guidelines for the issuance and verification of TLS certificates. In light of the findings, a representative from Google suggested that the dependence on WHOIS data for domain ownership verification should be terminated.
The official proposal, presented in September 2024, urges CAs to cease using WHOIS data to determine domain contacts by November 1, 2024. Specifically, the proposal asserts that “CAs MUST NOT rely on WHOIS to identify Domain Contacts” and that “validations using this
Read More