December 28, 2024

WHEN ABANDONED INFRASTRUCTURE LIVES ON — Rogue WHOIS server gives researcher superpowers no one should ever have .mobi top-level-domain managers changed the location of its WHOIS server. No one got the memo.

Dan Goodin – Sep 11, 2024 10:00 am UTC EnlargeAurich Lawson | Getty Images reader comments 7

Its not every day that a security researcher acquires the ability to generate counterfeit HTTPS certificates, track email activity, and execute code of his choice on thousands of serversall in a single blow that cost only $20 and a few minutes to land. But thats exactly what happened recently to Benjamin Harris.

Harris, the CEO and founder of security firm watchTowr, did all of this by registering the domain dotmobilregistry.net. The domain was once the official home of the authoritative WHOIS server for .mobi, a top-level domain used to indicate that a website is optimized for mobile devices. At some pointits not clear precisely whenthis WHOIS server, which acts as the official directory for every domain ending in .mobi, was relocated, from whois.dotmobiregistry.net to whois.nic.mobi. While retreating to his Las Vegas hotel room during last months Black Hat security conference in Las Vegas, Harris noticed that the previous dotmobiregistry.net owners had allowed the domain to expire. He then scooped it up and set up his own .mobi WHOIS server there. Misplaced trust

To Harriss surprise, his server received queries from slightly more than 76,000 unique IP addresses within a few hours of setting it up. Over five days, it received roughly 2.5 million queries from about 135,000 unique systems. The entities behind the systems querying his deprecated domain included a whos who of Internet heavyweights comprising domain registrars, providers of online security tools, governments from the US and around the world, universities, and certificate authorities, the entities that issue browser-trusted TLS certificates that make HTTPS work.

watchTowrs research has demonstrated that trust placed in this process by governments and authorities worldwide should be considered misplaced at this stage, in [our] opinion, Harris wrote in a post documenting his research. watchTowr continues to hold concern around the basic reality: watchTowr found this on a whim in a hotel room while escaping the Vegas heat surrounding Black Hat, while well-resourced and focused nation-states look for loopholes like this every day. In watchTowrs opinion, they are not likely to be the last to find inexcusable flaws in such a crucial process.

WHOIS has played a key role in Internet governance since its earliest days, back when it was still called the ARPANET. Elizabeth Feinler, an information scientist working for the Augmentation Research Center, became the principal investigator for NIC, short for the Network Information Center project, in 1974. Under Feinlers watch, NIC developed the top-level domain naming system and the official host table and published the ARPANET Directory, which acted as a directory of phone numbers and email addresses of all network users. Eventually, the directory evolved into the WHOIS system, a query-based server that provided a comprehensive list of all Internet host names and the entities that had registered them.

Despite its antiquated look and feel, WHOIS today remains an essential resource with tremendous consequences. Lawyers pursuing copyright or defamation claims use it to determine the owner of a domain or IP address. Spam services depend on it to determine the true owner of email servers. Certificate authorities rely on it to determine the official administrative email address of a domain. The list goes on. Page: 1 2 3 Next → reader comments 7 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Advertisement Channel Ars Technica ← Previous story Related Stories Today on Ars