Google calls for halting use of WHOIS for TLS domain verifications
Google proposed ending the use of WHOIS data for TLS certificate verification due to security vulnerabilities, suggesting a deadline of November 1, 2024, while some advocate for an extension to April 30, 2025.
Read original article
Google has proposed halting the use of WHOIS data for verifying domain ownership in the issuance of TLS certificates, following a security report by watchTowr that revealed vulnerabilities in the current system. TLS certificates are essential for establishing secure HTTPS connections, and the existing process allows certificate authorities (CAs) to verify domain ownership by sending an email to the address listed in the WHOIS record. However, researchers demonstrated that threat actors could exploit this process by creating a fake WHOIS server, allowing them to obtain certificates for domains they do not own. In response, Google suggested that CAs should not rely on WHOIS data for domain contact identification, with a proposed deadline of November 1, 2024, for this change. While many support the proposal, some, including representatives from Amazon, argue for an extension to April 30, 2025, due to the complexities involved in transitioning away from WHOIS. The discussion is ongoing, and formal voting on the proposed changes has yet to commence.
- Google has called for an end to using WHOIS data for TLS certificate verification due to security vulnerabilities.
- Researchers demonstrated that fake WHOIS servers could be used to fraudulently obtain TLS certificates.
- The proposed deadline for discontinuing WHOIS reliance is November 1, 2024, but some industry representatives suggest extending it to April 30, 2025.
- The CA/Browser Forum is currently discussing the proposed changes, with formal voting yet to begin.
Related
Sustaining Digital Certificate Security – Entrust Certificate Distrust
Google's Chrome Security Team distrusts specific Entrust certificates due to reliability concerns. Chrome 127 onwards won't trust certain Entrust TLS server authentication certificates dated after October 31, 2024. Website operators should review certificates for compliance.
Chrome will distrust CA certificates from Entrust later this year
Google will stop trusting Entrust CA certificates from November 1, citing compliance failures. Websites using Entrust certs, like moneygram.com and ey.com, must switch to a new CA to avoid security warnings. Enterprise customers can still trust Entrust.
Entrust certificates will not be trusted in Chrome 127+
The Chrome Root Program Policy is updating trust for Entrust CAs due to compliance issues. Entrust must show improvement to maintain trust. Chrome will oversee changes to safeguard users and the web.
Mozilla follows Google in losing trust in Entrust's TLS certificates
Mozilla will stop trusting Entrust as a root certificate authority after November 30, 2024, following compliance failures. Google previously made a similar decision, citing inadequate responses from Entrust.
We spent $20 to achieve RCE and accidentally became the admins of .mobi
Researchers at watchTowr Labs gained control of the expired .MOBI WHOIS server, attracting millions of queries and exposing vulnerabilities in the WHOIS protocol, raising security concerns for internet communications.
1 commentsRelated
Sustaining Digital Certificate Security – Entrust Certificate Distrust
Google's Chrome Security Team distrusts specific Entrust certificates due to reliability concerns. Chrome 127 onwards won't trust certain Entrust TLS server authentication certificates dated after October 31, 2024. Website operators should review certificates for compliance.
Chrome will distrust CA certificates from Entrust later this year
Google will stop trusting Entrust CA certificates from November 1, citing compliance failures. Websites using Entrust certs, like moneygram.com and ey.com, must switch to a new CA to avoid security warnings. Enterprise customers can still trust Entrust.
Entrust certificates will not be trusted in Chrome 127+
The Chrome Root Program Policy is updating trust for Entrust CAs due to compliance issues. Entrust must show improvement to maintain trust. Chrome will oversee changes to safeguard users and the web.
Mozilla follows Google in losing trust in Entrust's TLS certificates
Mozilla will stop trusting Entrust as a root certificate authority after November 30, 2024, following compliance failures. Google previously made a similar decision, citing inadequate responses from Entrust.
We spent $20 to achieve RCE and accidentally became the admins of .mobi
Researchers at watchTowr Labs gained control of the expired .MOBI WHOIS server, attracting millions of queries and exposing vulnerabilities in the WHOIS protocol, raising security concerns for internet communications.