Might be of interest to some. Best Regards ---------- Forwarded message ---------- From: Derek Smythe <derek@aa419.org> Date: Thu, Jul 27, 2017 at 1:26 AM Subject: [At-Large] Security broken. WHOIS it? To: at-large@atlarge-lists.icann.org https://blog.aa419.org/2017/07/26/security-broken-whois-it/ As a consumer of WHOIS data in our attempt at fighting cyber fraud, we noticed WHOIS lookups failing the past day and a bit. This failure was noticed using various utilities across various platforms and locations. Further investigations shows the gTLD registry data format had changed for .net and .com domains, specifically the format line to the registrar’s WHOIS server. As per the ICANN specifications, and how it was, this should be the registry format (bold for the sake of emphasis): Domain Name: VERISIGN.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com … But this has now become: Domain Name: VERISIGN.COM Registry Domain ID: 2703255_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.corporatedomains.com Naturally parsing data and looking for a string that should be an identifier, but has changed, will result in lookup failures. Using this observation and patching, suddenly saw the WHOIS lookup process start working again. This same observation was made in the .NET gTLD. Despite checking, no public notices are available on the ICANN website that this specification is changing: https://www.icann.org/resources/pages/com-2012-12-07-en https://www.icann.org/resources/agreement/net-2017-07-01-en https://www.icann.org/resources/pages/advisories-2012-02-25-en It’s a concern that a data format can be changed unilaterally, leaving folks in the IT security field (and other legitimate consumers of such data) in the dark, especially when we see the mass proliferation of malicious domains targeting consumer, commerce and even governments. The process of looking up registration data rapidly is crucial for accurate identification to allow precise mitigation of such threats. Changes made in such a manner as this, undermines these efforts. Derek Smythe Artists Against 419 http://www.aa419.org _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org -- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A