<div dir="ltr"><div>Might be of interest to some.<br><br></div>Best Regards<br><div><div><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Derek Smythe</b> <span dir="ltr"><<a href="mailto:derek@aa419.org">derek@aa419.org</a>></span><br>Date: Thu, Jul 27, 2017 at 1:26 AM<br>Subject: [At-Large] Security broken. WHOIS it?<br>To: <a href="mailto:at-large@atlarge-lists.icann.org">at-large@atlarge-lists.icann.org</a><br><br><br><a href="https://blog.aa419.org/2017/07/26/security-broken-whois-it/" rel="noreferrer" target="_blank">https://blog.aa419.org/2017/<wbr>07/26/security-broken-whois-<wbr>it/</a><br>
<br>
As a consumer of WHOIS data in our attempt at fighting cyber fraud, we<br>
noticed WHOIS lookups failing the past day and a bit.<br>
<br>
This failure was noticed using various utilities across various<br>
platforms and locations. Further investigations shows the gTLD<br>
registry data format had changed for .net and .com domains,<br>
specifically the format line to the registrar’s WHOIS server.<br>
<br>
As per the ICANN specifications, and how it was, this should be the<br>
registry format (bold for the sake of emphasis):<br>
<br>
Domain Name: <a href="http://VERISIGN.COM" rel="noreferrer" target="_blank">VERISIGN.COM</a><br>
Registrar: NETWORK SOLUTIONS, LLC.<br>
Whois Server: <a href="http://whois.networksolutions.com" rel="noreferrer" target="_blank">whois.networksolutions.com</a><br>
…<br>
<br>
But this has now become:<br>
<br>
Domain Name: <a href="http://VERISIGN.COM" rel="noreferrer" target="_blank">VERISIGN.COM</a><br>
Registry Domain ID: 2703255_DOMAIN_COM-VRSN<br>
Registrar WHOIS Server: <a href="http://whois.corporatedomains.com" rel="noreferrer" target="_blank">whois.corporatedomains.com</a><br>
<br>
Naturally parsing data and looking for a string that should be an<br>
identifier, but has changed, will result in lookup failures. Using<br>
this observation and patching, suddenly saw the WHOIS lookup process<br>
start working again. This same observation was made in the .NET gTLD.<br>
Despite checking, no public notices are available on the ICANN website<br>
that this specification is changing:<br>
<br>
<a href="https://www.icann.org/resources/pages/com-2012-12-07-en" rel="noreferrer" target="_blank">https://www.icann.org/<wbr>resources/pages/com-2012-12-<wbr>07-en</a><br>
<a href="https://www.icann.org/resources/agreement/net-2017-07-01-en" rel="noreferrer" target="_blank">https://www.icann.org/<wbr>resources/agreement/net-2017-<wbr>07-01-en</a><br>
<a href="https://www.icann.org/resources/pages/advisories-2012-02-25-en" rel="noreferrer" target="_blank">https://www.icann.org/<wbr>resources/pages/advisories-<wbr>2012-02-25-en</a><br>
<br>
It’s a concern that a data format can be changed unilaterally, leaving<br>
folks in the IT security field (and other legitimate consumers of such<br>
data) in the dark, especially when we see the mass proliferation of<br>
malicious domains targeting consumer, commerce and even governments.<br>
The process of looking up registration data rapidly is crucial for<br>
accurate identification to allow precise mitigation of such threats.<br>
Changes made in such a manner as this, undermines these efforts.<br>
<br>
<br>
Derek Smythe<br>
Artists Against 419<br>
<a href="http://www.aa419.org" rel="noreferrer" target="_blank">http://www.aa419.org</a><br>
______________________________<wbr>_________________<br>
At-Large mailing list<br>
<a href="mailto:At-Large@atlarge-lists.icann.org">At-Large@atlarge-lists.icann.<wbr>org</a><br>
<a href="https://atlarge-lists.icann.org/mailman/listinfo/at-large" rel="noreferrer" target="_blank">https://atlarge-lists.icann.<wbr>org/mailman/listinfo/at-large</a><br>
<br>
At-Large Official Site: <a href="http://atlarge.icann.org" rel="noreferrer" target="_blank">http://atlarge.icann.org</a></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Barrack O. Otieno<br>+254721325277<br>+254733206359<br>Skype: barrack.otieno<br>PGP ID: 0x2611D86A<br> <br><br><br><br></div>
</div></div></div>