Folks, I'm sure some of you have already seen this writeup:
https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/ The authors claim that several certificate authorities, for at least one TLD (.mobi), query WHOIS servers that are no longer authoritative for a TLD, and in fact by registering the old WHOIS server name to themselves, they were able to provide any information they wanted about domain contacts, e.g. substituting their own email address for validation method 3.2.2.4.2 for any (.mobi) domain. They also mention that they observed some clients (not necessarily CAs) querying the out of date WHOIS location for domains like "google.com". The one CA called out by name in the report has opened a bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1917896 But my question for other CAs is: from where do you source information on authoritative WHOIS servers for TLDs? What processes do you have in place to ensure that updates to, e.g., the IANA list, are propagated to production systems? My question to the community: given the apparent fragility of WHOIS for obtaining registrant info, should the BRs be updated to only allow, e.g., direct information from RDAP from the registrar in charge of a given TLD? -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7f565062-36e4-4564-ad0f-c522ed7ae725n%40mozilla.org.
