[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"

[Tobias S. Josefowitz]

Hi Dimitris,

On Wed, 18 Sep 2024, Dimitris Zacharopoulos (HARICA) wrote:

> On 18/9/2024 5:40 ?.?., Tobias S. Josefowitz wrote:
>
>>  That said, as the issue presents to me, it seems to illustrates that
>>  multiple CAs must have been querying WHOIS servers which's hostnames and
>>  domains simply do not exist anymore, for longer than just a brief period,
>>  The possibility for this to occur without anyone noticing and sounding the
>>  alarm to the WebPKI community alone seems to disqualify WHOIS based Domain
>>  Validation as an acceptable method; this seemingly inherent lack of
>>  monitoring into validations/validation attempts performed via this method
>>  seems reason enough to retire it. And soon. What else have we missed, if
>>  we missed this?
>
> Are you claiming that some TLDs or Domain Names are defunct? I'm sure 
> this is true in many cases. However, the majority of the TLDs work as 
> expected. If a TLD is defunct (i.e. not accessible), why should the 
> WebPKI community raise an alarm? Nobody can use that TLD reliably in the 
> WWW anyway.
>
> I would expect the WebPKI community to raise an alarm if they detect there is 
> a malicious TLD operator or Registrar that has been compromised like it 
> happened with .tg 
> <https://groups.google.com/g/mozilla.dev.security.policy/c/4kj8Jeem0EU/m/GvqsgIzSAAAJ> 
> (thank you Andrew, that's exactly the case I recalled and couldn't find 
> references!), because that puts relying parties expected an encrypted 
> interaction with those Domain Names in jeopardy.


I don't think "defunct" is a useful categorization for answering the 
question we have before us, which is how to react to the fact that TLD 
operators, IANA's list of CCTLDs and accompanying metadata, and the 
implementers of whois clients unknowingly, unintentionally, and with no 
practical awareness of the weight we placed on them, have disappointed our 
expectations and defied our assumptions.

I also must say that I find your point on "Nobody can use that TLD 
reliably [...] anyway." to be somewhat circular. As far as my 
understanding of the issue and say e.g. ".mobi" goes, ".mobi" works 
apparently just fine and is mostly in so far "defunct" as it may have not 
been very involved in keeping the IANA list of domains up to date with 
regards to the names of their WHOIS servers.

I thought about it for a while, but the only argument for why it could not 
be used reliably is that because of this circumstance, attackers can get 
fraudulent certificates.

When it comes to e.g. RFCs and so on, the dependencies may be clear; IANA 
is (expected) to publish the names of the WHOIS servers, and TLD operators 
are supposed to inform IANA of changes; and in the thoughtful execution of 
their duty to the public, they even keep operating the WHOIS servers on 
the old hostnames for a while, and make sure the old names cannot be used 
by an impostor for years to come.

When it comes to WebPKI securing billions of people, the direction 
switches somewhat: Users must be able to trust the WebPKI, and we cannot 
just point fingers at the IANA list, CCTLD operators, and WHOIS 
implementers and call for them to get their act together. It is clear to 
me that we must act on the circumstances as they now present, as it is our 
responsibility to do so.

I realize that in 
https://lists.cabforum.org/pipermail/servercert-wg/2024-September/004874.html 
you suggest to consider a list of "untrusted" TLDs, and I take it to mean 
you also probably agree that action must be taken, or would be appropriate 
to take. I however believe that such a list is not addressing the problem 
appropriately; it's rather obviously taking a reaction to a mere symptom, 
not addressing the fundamental flaw I see.

>>  PS: While I wrote the above primarily thinking about WHOIS (the protocol),
>>  I do not think that "scraping WHOIS data from a website" necessarily
>>  sounds super robust either...
>
> Securing the Internet needs to rely on some fundamental properties of the 
> Internet, and one of those is the the fact that the Internet is fundamentally 
> insecure and unencrypted. There is no way around that.

In practice, the way around that, while itself ridden with flaws on many 
levels, for many applications and transactions, is TLS backed by WebPKI. 
Some might consider it to not be a well-informed choice, but it is a 
reality in any case. Resilience against these problems is exactly what we 
need to collectively provide to our best ability.

> IMO, as long as DNS relies on Registrars and Registrars offer Registrant 
> information with widely-acceptable protocols, they should be considered a 
> good "starting point" for evaluation in a Domain Validation method. I would 
> consider scrapping WHOIS information data from a secure website operated by 
> the Registrar significantly more reliable than obtaining this information via 
> an unreliable and unencrypted WHOIS query :)

There are positive properties gained by encryption, but they are certainly 
matched (maybe even outmatched?) by negative properties of scraping 
websites. It is probably not fundamentally unthinkable that a CCTLD 
operator would show advertisements on their WHOIS website - there may even 
be some that do it today. Just as one example, including ads wasn't very 
secure the last time I looked at how this works, and offered ad networks 
and advertisers the opportunity to execute javascript code in the context 
of the page in question. Are WHOIS websites always scrapable with 
javascript disabled, or could this be used to get a CA to accept falsified 
information? I don't know, but I must assume that at least some CAs could 
be susceptible to such an attack.