[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Sep 19 10:24:42 UTC 2024 



On 18/9/2024 11:45 μ.μ., Tobias S. Josefowitz wrote:
> Hi Dimitris,
>
> On Wed, 18 Sep 2024, Dimitris Zacharopoulos (HARICA) wrote:
>
>> On 18/9/2024 5:40 ?.?., Tobias S. Josefowitz wrote:
>>
>>>  That said, as the issue presents to me, it seems to illustrates that
>>>  multiple CAs must have been querying WHOIS servers which's 
>>> hostnames and
>>>  domains simply do not exist anymore, for longer than just a brief 
>>> period,
>>>  The possibility for this to occur without anyone noticing and 
>>> sounding the
>>>  alarm to the WebPKI community alone seems to disqualify WHOIS based 
>>> Domain
>>>  Validation as an acceptable method; this seemingly inherent lack of
>>>  monitoring into validations/validation attempts performed via this 
>>> method
>>>  seems reason enough to retire it. And soon. What else have we 
>>> missed, if
>>>  we missed this?
>>
>> Are you claiming that some TLDs or Domain Names are defunct? I'm sure 
>> this is true in many cases. However, the majority of the TLDs work as 
>> expected. If a TLD is defunct (i.e. not accessible), why should the 
>> WebPKI community raise an alarm? Nobody can use that TLD reliably in 
>> the WWW anyway.
>>
>> I would expect the WebPKI community to raise an alarm if they detect 
>> there is a malicious TLD operator or Registrar that has been 
>> compromised like it happened with .tg 
>> <https://groups.google.com/g/mozilla.dev.security.policy/c/4kj8Jeem0EU/m/GvqsgIzSAAAJ> 
>> (thank you Andrew, that's exactly the case I recalled and couldn't 
>> find references!), because that puts relying parties expected an 
>> encrypted interaction with those Domain Names in jeopardy.
>
Hi Tobi,

>
> I don't think "defunct" is a useful categorization for answering the 
> question we have before us, which is how to react to the fact that TLD 
> operators, IANA's list of CCTLDs and accompanying metadata, and the 
> implementers of whois clients unknowingly, unintentionally, and with 
> no practical awareness of the weight we placed on them, have 
> disappointed our expectations and defied our assumptions.

I didn't mean "defunct" to mean a "malicious" operator. I meant it as an 
operator that has inaccessible resources. For example, their DNS server 
is down or not operational. I should have made it clearer.

With this clarification, I hope you understand why I said that such an 
operator is not creating as much risk as a malicious operator.

Dimitris.

>
> I also must say that I find your point on "Nobody can use that TLD 
> reliably [...] anyway." to be somewhat circular. As far as my 
> understanding of the issue and say e.g. ".mobi" goes, ".mobi" works 
> apparently just fine and is mostly in so far "defunct" as it may have 
> not been very involved in keeping the IANA list of domains up to date 
> with regards to the names of their WHOIS servers.
>
> I thought about it for a while, but the only argument for why it could 
> not be used reliably is that because of this circumstance, attackers 
> can get fraudulent certificates.
>
> When it comes to e.g. RFCs and so on, the dependencies may be clear; 
> IANA is (expected) to publish the names of the WHOIS servers, and TLD 
> operators are supposed to inform IANA of changes; and in the 
> thoughtful execution of their duty to the public, they even keep 
> operating the WHOIS servers on the old hostnames for a while, and make 
> sure the old names cannot be used by an impostor for years to come.
>
> When it comes to WebPKI securing billions of people, the direction 
> switches somewhat: Users must be able to trust the WebPKI, and we 
> cannot just point fingers at the IANA list, CCTLD operators, and WHOIS 
> implementers and call for them to get their act together. It is clear 
> to me that we must act on the circumstances as they now present, as it 
> is our responsibility to do so.
>
> I realize that in 
> https://lists.cabforum.org/pipermail/servercert-wg/2024-September/004874.html 
> you suggest to consider a list of "untrusted" TLDs, and I take it to 
> mean you also probably agree that action must be taken, or would be 
> appropriate to take. I however believe that such a list is not 
> addressing the problem appropriately; it's rather obviously taking a 
> reaction to a mere symptom, not addressing the fundamental flaw I see.
>
>>>  PS: While I wrote the above primarily thinking about WHOIS (the 
>>> protocol),
>>>  I do not think that "scraping WHOIS data from a website" necessarily
>>>  sounds super robust either...
>>
>> Securing the Internet needs to rely on some fundamental properties of 
>> the Internet, and one of those is the the fact that the Internet is 
>> fundamentally insecure and unencrypted. There is no way around that.
>
> In practice, the way around that, while itself ridden with flaws on 
> many levels, for many applications and transactions, is TLS backed by 
> WebPKI. Some might consider it to not be a well-informed choice, but 
> it is a reality in any case. Resilience against these problems is 
> exactly what we need to collectively provide to our best ability.
>
>> IMO, as long as DNS relies on Registrars and Registrars offer 
>> Registrant information with widely-acceptable protocols, they should 
>> be considered a good "starting point" for evaluation in a Domain 
>> Validation method. I would consider scrapping WHOIS information data 
>> from a secure website operated by the Registrar significantly more 
>> reliable than obtaining this information via an unreliable and 
>> unencrypted WHOIS query :)
>
> There are positive properties gained by encryption, but they are 
> certainly matched (maybe even outmatched?) by negative properties of 
> scraping websites. It is probably not fundamentally unthinkable that a 
> CCTLD operator would show advertisements on their WHOIS website - 
> there may even be some that do it today. Just as one example, 
> including ads wasn't very secure the last time I looked at how this 
> works, and offered ad networks and advertisers the opportunity to 
> execute javascript code in the context of the page in question. Are 
> WHOIS websites always scrapable with javascript disabled, or could 
> this be used to get a CA to accept falsified information? I don't 
> know, but I must assume that at least some CAs could be susceptible to 
> such an attack.

More information about the Servercert-wg mailing list