WHATIS Going To Happen To WHOIS?

dmoberhaus writes: A European data privacy law goes into effect in May, but it's already having far reaching consequences, especially when it comes to publicly available WHOIS data. Motherboard spoke to a domain registrar, ICANN and some security researchers about how anticipation of the EU privacy laws implementation has already gutted WHOIS data, why this is dangerous and what the future of WHOIS looks like.
ICANN requires registars to make data on their customers publicly available -- but registrars would be more than happy to stop, according to Tim Chen, the CEO of a WHOIS data analytics firm. Besides hiding their customer lists, it would also address complaints about spammers harvesting email addresses. So registars like GoDaddy "are taking this opportunity to see how far they can push things."

But the article has some sympathy for ICANN. "On the one hand, the organization is under pressure from law enforcement officials and security researchers who depend on WHOIS data to investigate possible crimes or mitigate devastating malware attacks. On the other hand, the organization must also accomodate laws like the GDPR that are the only bulwark against the wholesale of individuals' data by internet giants like Google and Facebook." In 2014 ICANN suggested a "gated" registry that would only authorize access to people who identified themselves and their purpose for accessing the data. But progress has been slow, according to the article, which adds "It's uncertain when ICANN will have a finalized protocol for a next generation version of WHOIS, but an overhaul of this nearly 30-year-old protocol is long overdue.

"The notion that individual data should require a requester to also provide their own data is both equitable and intuitive -- the only remaining question is how to make it work."

Does anyone actually use that

maybe 20 years ago whois was useful to find peopleâ(TM)s names and then fuck with them but now? irrelevant

Re:Does anyone actually use that

[spaceman375]

I use it sometimes. Mostly to keep track of expiration dates for my own and client's domains, but it's not all obfuscated. Even just the creation date can be useful when looking into something.

Re:Does anyone actually use that

[JMJimmy]

Not irrelevant but CIRA (Canada's registry) did the same sort of thing a long time ago and it works just fine. Just saves people from having to pay stupid fees for privacy protection.

Re:Does anyone actually use that

[cayenne8]

Yeah...I've used it to find people that own domains I want and is nice to be able to contact them to see if they are interested in selling, etc.....

Why doesn't ICANN tell them to take a fucking hike...and if they don't want WHOIS available in their country, then they can block it into their country with their own firewalls or whatever.

Re:Does anyone actually use that

[sjwest]

I do. - we also count bad dns requests to our dns servers - hit a limit and well thats not my problem

Re:Does anyone actually use that

That's one of the problems with the DNS root. Countries have their own top level domains, but they can't set the rules for their own domains. ICANN requires WHOIS, even for domains under CCTLDs.

Re: Does anyone actually use that

[Monster_user]

I use whois it to determine the nature of traffic. I typically don't bother with contact information, I'm just looking for information I can use to identify whether the traffic is legitimate or not, so I know which PC to pull from the network,

Re:Does anyone actually use that

Yes I actually use it, and already hate how it's been emasculated right now.

There are lots of times when I want to know whether a given domain that I've reached in a browser or from which I've received email is really owned by whomever they're claiming to be.

If some individual or group is concerned about privacy, or indeed about their own governments' wanting to make them disappear into the night, anonymizing services are already available. If, on the other hand, a business hides its identity in its whois record, I consider them shady.

Yes, it's an element in the trust chain that is subject to clever attacks, but so is the PKI. At least whois is one more check.

Re: Does anyone actually use that

Exactly. WHOIS is important if some suspicious traffic enters your PC or LAN (router/switches).
Around 2013 I did a WHOIS when my new laptop was phoning home but was not listed in netstat of that PC, but when I login to my router and did a netstat it was listed there. Made me so suspicious I thought the Linux OS is doing some dirty tricks. Turns out OS was innocent and it was just the Intel IME connecting to some US state. During that time I haven't heard about IME backdoor. WHOIS is very important if your machines are connecting somewhere else, or if you're being attacked or DDoS'd.

Re: Does anyone actually use that

Mod up. This is what's going on here.

In some cases anonymity isn't cowardly, it's pragmatic. Safeguard privacy, No spam, no death threats. ICANN has been badgering us for our personal info for years because it makes the internet "safer". Stellar job it's doing too.

Re:Does anyone actually use that

[sabbede]

Yeah, I do. At least once every couple of days to check the ownership and validity of domains to answer questions like, "what's this traffic?", "is this a legit email?", "should this site be allowed or blocked?", etc.

What I'm hearing now sounds like a boon for criminals worldwide. Not a good thing.

Well, I'm going to fuck it.

With my penis. After that, who knows?

In Sweden

The WHOIS data is protected by privavy law. Lookup any .se adress and see that no personal data is shown. If police requested the data however the registars have to give it out.

Re:In Sweden

Maybe Sweden is ok, but in most countries the authorities are too corrupt to be granted such advantages over the general public. Maybe somebody like wikileaks can can give us the info when the registrars won't. Fuck it. We really have to get rid of DNS so that web sites don't have to be registered with anybody. The users can cache IP addresses themselves and give them whatever name they like.

Re: In Sweden

Interesting. Can you provide a few reliable Swedish registrars?

Nonsense

[Njovich]

This is total nonsense. GDRP is about disclosing how you handle data and giving people handles when they want to be removed from your system. In no way does it stop you from creating a phone book for domains holders.

Re:Nonsense

Ironic that you call it nonsense and then give a nonsense summary yourself. Data access and portability are two of the many areas you ignored. I could certainly see hosting companies making decisions to change how they present WHOIS based on GDPR, for example keeping logs of what is displayed and to whom given their responsibility to record processing of relevant data.

Re:Nonsense

[zifn4b]

Before you post, do a 5 second Google search and locate this nice, easy to parse GDPR Key Changes document

Re:Nonsense

And your nonsene is astroturfing anti-GDPR bullshit from spammers or NAS/FBI/GCHQ.

Nobody in their right mind today thinks that their date of birth, phone number or home address isn't personal information that shouldn't be under their own personal control. It is theirs to choose who they share it with - stalkers of all sorts shoulkd please just fuck off.

Re:Nonsense

[Njovich]

Nothing here contradicts what I said. Which part would ban WHOIS?

Re:Nonsense

[Njovich]

You misunderstand data access if you think I didn't cover it. As far as portability is concerned, that's the whole point of WHOIS, they have that covered.

Re:Nonsense

[zifn4b]

Which part would ban WHOIS?

Where is the claim that GDPR would ban WHOIS? Are you making things up? The part of the summary that is related to GDPR is that the current WHOIS service is not compatible with GDPR:

On the other hand, the organization must also accomodate laws like the GDPR that are the only bulwark against the wholesale of individuals' data by internet giants like Google and Facebook." In 2014 ICANN suggested a "gated" registry that would only authorize access to people who identified themselves and their purpose for accessing the data. But progress has been slow, according to the article, which adds "It's uncertain when ICANN will have a finalized protocol for a next generation version of WHOIS, but an overhaul of this nearly 30-year-old protocol is long overdue.

Re:Nonsense

[Njovich]

I didn't say you claimed that. Are *you* making things up? I just asked two questions, where your page contradicts my statement, and which part of GDPR forbids WHOIS. You answered neither question (your quote certainly doesn't point it out).

Re:Nonsense

[zifn4b]

I asked you what this is in reference to and you failed to respond.

Which part would ban WHOIS?

I didn't claim anything of this nature and I don't see where anyone or anything did. Why would i continue to talk with someone who is making shit up? There is no way to have a conversation with someone who is doing that. If you want to continue, tell me what this statement YOU made is in reference to, otherwise, have a nice day because I don't talk with irrational people that just make things up.

Scammers use data...

[Camel+Pilot]

Anyone who has a registered domain or ssl certificate is familiar with the perennial scam of getting a fraudulent letter or emailing informing them that their domain is about to expire please send money now.

Re:Scammers use data...

Also scams can be identified through domain information. Certain practitioners of the law let themselves to be used as the go-to guys for the domain registration requests form the scammers.

Re: Scammers use data...

[Monster_user]

Well, now I'm wondering why I don't...

Molehill

[bidule]

What's wrong with having WHOIS point to a middleman who must forward to the owner?

There's no privacy issue that way.

Re:Molehill

[93+Escort+Wagon]

This - or some variant of this - is how Dreamhost has handled WHOIS for years. Currently if you look up my hobby site, the admin contact is {domain name}@proxy.dreamhost.com .

Re:Molehill

Because, at least legally, you don't own the domain name. The domain is owned by the middleman. And between you and the middleman there an legally binding agreement to let you exercise all the rights on the domain name (eg change registrars). But he could basically lock you out of it if he was untrustworthy, and you would to being him to court.
Other gTLDs (eg .gr ) have only minimal WHOIS info and nothing personally identifying like name/address/telephone

Re:Molehill

What's wrong with having WHOIS point to a middleman who must forward to the owner?

There's no privacy issue that way.

Good idea! I've always said whois needed a Twitter module, and a Facebook module, and all those other little icons we see next to every piece of information possible.

ninja@awesomo:~$ whois 64.235.59.38 --tweet --like

Re:Molehill

[davecb]

I was peripheral to the discussion, and a customer bid on the "new whois" proposal: this is how it was supposed to work. A domain name in .com was supposed to be just like a business, and it was expected that the business contact could be your marketing department or in-house counsel. In .net and .org it was the same.

In .ca, the registrant name is the registrar, and when contacted they will contact me.

Re:Molehill

[marvinglenn]

As long as there's a mechanism where all domains from the same entity point to the same something so that I can find which domains have a common owner. I've found such _very_ handy in blocking/rejecting certain types of spammers.

undermined

[clangerbanger]

by scripts, running methodically and slowly on various machinery, scrape whois. then spread the result beyond control.

Is there even any point?

[ZorinLynx]

Most domains are owned by proxy anyway, so if you do a whois you're just going to get the name of the proxy.

The days of using whois to hold domain owners responsible for anything have been long over for a long time; anyone doing anything shady (or just wanting basic privacy) is using a proxy.

WHOknows

But I do know this much: trump will hang for treason.

WHOIS for netblocks is very useful

[E-Lad]

People tend to focus on domains when it comes to WHOIS usage; however I've found myself using it more to see who administrates/SWIPP'd a given block of IPs rather than looking up often inaccurate or obfuscated info on domain ownership.

Re:WHOIS for netblocks is very useful

[sjwest]

I agree - any whois that says do not block me, or "I AM NOT SPAMMING YOU" is worthy of a mallet

Re: WHOIS for netblocks is very useful

Please someone mod the parent up + insightful.

I use whois to determine netblock and cidr ranges all the time.

It's extremely useful and quick to glean what is needed. Yes, it still has value.

Re:WHOIS for netblocks is very useful

[OolimPhon]

Yep. I'm not really interested in the contact details. What I want to know is where an IP originates and what subnet it is part of. I would be happy for my contact details to be held somewhere and only passed on in accordance to local laws.

When I find that somebody has scanned my address, resulting in firewall drop messages, then I will assume that all addresses in the subnet containing that address could also be compromised. WHOIS tells me that info, and which country it is. Based on that, I'll drop the whole subnet, which also means less spam in my firewall logs.

I'm all for privacy laws

[flightmaker]

My registrar offered to make my personal information private something like 18 months ago, an offer which I immediately accepted. As a result I've had no more scam letters from assholes telling me I owe them money to renew my domain.

Typing a domain name into a computer without proper authority should never ever reveal the name, address and phone number of the owner for the very same reasons that in the UK you can't type the registration number of a car into a computer to obtain the name address and phone number of the owner.

Re: I'm all for privacy laws

While I agree with you on how privacy should be handled, did you know that the DVLA will give anyone the name and address of the registered keeper of any vehicle in exchange for 4GBP?

Um... so what? Obfuscation already exists

[Kargan]

My domain registrar (Hover.com, based in Canada) offers WHOIS obfuscation for free. I'd be an idiot not to take advantage of it.

Astroturfing from NSA, FBI & other usual suspe

Law enforcement agencies will still be able to access this data via internationally agreed search warrant procedures. What the whingers (FBI/NSA/GCHQ etc) are pissed about is that they will no longer be able to carry out (unlawful) warrantless searches without scrutiny.

"How to make it work"

[zifn4b]

The notion that individual data should require a requester to also provide their own data is both equitable and intuitive -- the only remaining question is how to make it work.

I am going to create a piece of legislation that states "all citizens have a right to be able to time travel". I guess since it's the law we have to invent the time machine. Apparently the best approach to decision making is to shoot first and aim later.

I just list the address of the local post office.

[OldMugwump]

My home address doesn't need to be public. I list the address of the local post office, and my real name. Mail sent there will reach me. And of course a unique email address with very strong spam filters on it. Been doing it this way more than 10 years - no problems yet.

solution: record salting

[lambsonic]

The data will always find a way out. Just allow registrars to salt records, like what is done with political donations.

Other important questions ...

[fahrbot-bot]

WHATIS Going To Happen To WHOIS?

Namely: WHEREIS, WHYIS, WHENIS and HOWIS ?

Does anyone actually use their real names?

[wolfheart111]

Just wondering if this is common. :) Its not like you have to show ID or anything. A 99 cent godaddy domain... WTF do I want to give real info anyways....

Re:Does anyone actually use their real names?

Technically if ICANN finds out you have incorrect info in your domain it can be shut down. I am not sure how often it happens. AFAIK the only exception is the privacy proxies, because ultimately you could still be contacted by your privacy proxy for any DMCA requests, or other lawful requests.

Re:I just list the address of the local post offic

Why bother with this if you are still going to get all of the junk mail forward from your post office to your home?

The whole point of privacy proxies for registrations is it completely blocks the ability for scammers to get any contact info and they cant send you all that scammy junk snail mail, junk email, and phone calls from domain renewal services, SEO optimization services, and fly by night web developers looking for a gig

namecheap.com offers the proxy service for a couple $ a year and is far worth it to not deal with the junk snail mail, junk email, and phone calls from these scammers. No one has a legitimate need to get access to this info, unless I provide it to you.

Reminds me of David Brin's Transparent Society

[Paul+Fernhout]

https://en.wikipedia.org/wiki/...
"Brin argues that it will be good for society if the powers of surveillance are shared with the citizenry, allowing "sousveillance" or "viewing from below," enabling the public to watch the watchers. According to Brin, this only continues the same trend promoted by Adam Smith, John Locke, the US Constitutionalists and the western enlightenment, who held that any elite (whether commercial, governmental, or aristocratic) should experience constraints upon its power. And there is no power-equalizer greater than knowledge."

From the article: "The notion that individual data should require a requester to also provide their own data is both equitable and intuitive -- the only remaining question is how to make it work."

Re:Reminds me of David Brin's Transparent Society

From the article: "The notion that individual data should require a requester to also provide their own data is both equitable and intuitive -- the only remaining question is how to make it work."

This is one of those good intentions that end up paving the road to hell.

Intuitive, maybe. Stupid, certainly. For verily, should you succeed in making it work, you will have created this politician's wet dream of an "internet passport" that will experience massive function creep and allow the issuers to effectively control speech on the internet. Certainly if you go the bog standard route of creating "identity providers" that "provide" everyone else's "identity", thus ensuring that not everyone is a first class citizen. Maybe possibly not if you allow everyone to be at least potentially an identity provider for everyone else, making everyone a first class citizen. And you'll need plenty of "zero knowledge proofs" to keep a lid on the identity leaking.

A better idea is to simply take out the unneeded information. EG why does WHOIS publish, say, billing information to the entire world? I'd say only their direct registrar needs to know that. The things I'd want to see at minimum are registration date, organisation, probably country of origin (ie applicable jurisdiction), and both an in-band (email) and out-of-band (phone) contact method, both regularly verified. But the rest probably shouldn't be public.

Re:Reminds me of David Brin's Transparent Society

[DNS-and-BIND]

That would never happen, it would deprive our journalist class of their power to define what should be paid attention to. We saw citizen journalism explode in 2016 and Google/Facebook/Twitter spent all of 2017 smacking it down and putting it on page 146 of the search results.

It used to be required

People used to have to put in their real contact information because the purpose of whois was for someone to contact the people who ran the domain when they saw something wrong going on over there. Using false information in whois was grounds for revocation of a domain name. That stopped being the case when NetSol saw dollar signs and stopped running DNS with any sense of responsibility to the original intentions.

ICANN't are idiots

So you have a problem with leaking "personally identifyable information" ("PII").

So your solution is an identification-wall that requires more identification, thus more PII, and "justification" data.

Syeah, that's gonna work.

Why do we publish all that whois data anyway? It's a hold-over from the early days. The useful bits of info are the registration date, the organisation behind it so you can match various domains to the same owner, and (should it still have been reliable), an easy contact point for abuse like through email and an out-of-band contact point for tech issues like a phone number.

Administrative contacts? Not really useful. Billing contacts? No point in making those public. Names of people associated with various contact points? Only rarely if ever useful, except for "owner" and tracing what else he's got--some scammers are crafty but these days it's all behind a privacy wall anyway. Where it isn't shielded, physical address is mainly useful to get an impression just whereabouts on the globe they are. We could put a lat/lon on there instead.

So most of the data can simply be made not public. I do think that the email and telephone contact points should remain public, and rigorously checked for validity. But the rest? Certainly the individual info in there we can do without.

Oh and by the way, replacing WHOIS by a website is a no-go. In addition is fine, but websites go poorly with command line interfaces. And I still run whois several times a day on systems that don't sport graphics much less a(n oversized stupidly heavy) browser.

blockchain blockchain blockchain

I'd like to see the web of trust replaced by the blockchain of trust.

You want to be anonymous? Sure, ok, we have a blockchain for that ...

Whois is Still Useful?

[Greyfox]

Every time I tried to use it to look someone up, the address was always held by some corporation clearly designed to hide that information. I don't think the database has actually been useful for at least a couple of decades.

Re:Whois is Still Useful?

[marvinglenn]

I've found it still somewhat useful, in that a couple of those masking companies, like "Whois Guard" in particular on my system(1), are so bad that I can reject email for purely being from a domain that uses their services.

(1) My current stats have >2300 unique domains using their service that I've rejected email from.

Does anyone buy a domain name without privacy?

[ayesnymous]

When I buy a domain, I can always find a coupon for free or 99 cent WHOIS privacy.

Re:Does anyone buy a domain name without privacy?

I came here to post something similar.

As a Namecheap customer, I don't think I've ever had to pay for whatever they call their name protection service in all the years I've been with them. There's always been some kind of "on for free right now" type of promotion on when renewal time comes around.

Should be public

[bradley13]

WHOIS is the internet-equivalent of a property registry. If I want to know who owns that building over there, I can go to the township, look in the public records, and find out. This is important, whether it's because you want to buy the building, or perhaps you have a problem with something that is happening there. Sure, in some cases, ownership will be obscured through some intermediate legal entity, but that will still be the responsible legal entity.

WHOIS should be exactly the same thing. If you are interested in a domain - for whatever reason - you should have a way to contact the legal entity responsible for it. Concerns about spam are misplaced - this happens in the physical world as well. There are scammers in the world, news at 11:00.

tl;dr: The domain registries are the property registries of the Internet, and the registrations should be public.

WHOIS Dysfunctional For Years

WHOIS has been dysfunctional for years and continues to get worse as time goes by.

Don't blame the Eu for this. Blame registrar greed and wide spread abuse of the system.

Malware and scammers links day in day out.

[pigsycyberbully]

I have about 20 domain names that are registered on my be half. The company registers the domain names for you and they create a name for you.
Some of my names are phil, Dave, Davidson, Martin and Philip. When they register your email domain they give you a name and an address and a country and then they give you your password which you are meant to change for obvious reasons.

When all this is complete you must use one of those domain names as a contact email address even though the registered domain name is not you.
My one is postmaster, and because it has to exist on all the registered domain names it is chock-a-block full of malware and scammers email in multiple languages from multiple countries.

They look through the register for a email addresses and thus people constantly send you malware and scammers links day in day out. P.S.
Other Internet companies constantly bombard you with special offers and why you should leave the company you have registered your domain name with and register with them. Why you should purchase their services rather than the one you have what ever that may be! THEY ARE WORSE THAN ALL THE VIRUSES AND MALWARE PUT TOGETHER...
You can switch off incoming email for that particular domain email address but you have to switch it on for domain updates, to declare that you are who you are saying you are.

Contact email registration is a nuisance.. I ended up paying a company identification protection to handle all the domain emails it has to go through them before it can get to me. And the only one that should get to me is the message about verifying that my name is Dave or Martin or Philip.

Re:Malware and scammers links day in day out.

[www.sorehands.com]

I call bullshit on you, or at least in general. Most of the proxy services claim that they keep you from getting spam. However, they forward the e-mails, so they still forward the spam and virus.