[kictanet] Fwd: [At-Large] Security broken. WHOIS it?

Barrack Otieno otieno.barrack at gmail.com
Sat Jul 29 14:46:20 EAT 2017


Might be of interest to some.

Best Regards
---------- Forwarded message ----------
From: Derek Smythe <derek at aa419.org>
Date: Thu, Jul 27, 2017 at 1:26 AM
Subject: [At-Large] Security broken. WHOIS it?
To: at-large at atlarge-lists.icann.org


https://blog.aa419.org/2017/07/26/security-broken-whois-it/

As a consumer of WHOIS data in our attempt at fighting cyber fraud, we
noticed WHOIS lookups failing the past day and a bit.

This failure was noticed using various utilities across various
platforms and locations. Further investigations shows the gTLD
registry data format had changed for .net and .com domains,
specifically the format line to the registrar’s WHOIS server.

As per the ICANN specifications, and how it was, this should be the
registry format (bold for the sake of emphasis):

    Domain Name: VERISIGN.COM
    Registrar: NETWORK SOLUTIONS, LLC.
    Whois Server: whois.networksolutions.com
    …

But this has now become:

    Domain Name: VERISIGN.COM
    Registry Domain ID: 2703255_DOMAIN_COM-VRSN
    Registrar WHOIS Server: whois.corporatedomains.com

Naturally parsing data and looking for a string that should be an
identifier, but has changed, will result in lookup failures. Using
this observation and patching, suddenly saw  the WHOIS lookup process
start working again. This same observation was made in the .NET gTLD.
Despite checking, no public notices are available on the ICANN website
that this specification is changing:

https://www.icann.org/resources/pages/com-2012-12-07-en
https://www.icann.org/resources/agreement/net-2017-07-01-en
https://www.icann.org/resources/pages/advisories-2012-02-25-en

It’s a concern that a data format can be changed unilaterally, leaving
folks in the IT security field (and other legitimate consumers of such
data) in the dark, especially when we see the mass proliferation of
malicious domains targeting consumer, commerce and even governments.
The process of looking up registration data rapidly is crucial for
accurate identification to allow precise mitigation of such threats.
Changes made in such a manner as this, undermines these efforts.


Derek Smythe
Artists Against 419
http://www.aa419.org
_______________________________________________
At-Large mailing list
At-Large at atlarge-lists.icann.org
https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org



-- 
Barrack O. Otieno
+254721325277
+254733206359
Skype: barrack.otieno
PGP ID: 0x2611D86A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170729/c8d4cc07/attachment.htm>


More information about the KICTANet mailing list