WHOIS Domain Control Validation Will Phase Out Starting Jan. 8
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Loading...

WHOIS Domain Control Validation Will Phase Out Starting Jan. 8

If you’ve used WHOIS-based validation for your SSL/TLS certificates, it’s time to change to another validation method ASAP

Changes are coming down the pike regarding WHOIS-based domain validation in the first half of 2025.

In August 2024, researchers at WatchTowr Labs discovered a vulnerability relating to use of legacy WHOIS systems for domain control validation (DCV) that industry leaders were concerned could lead to fraudulent email-based validations for SSL/TLS certificates. Although the scope of the specific vulnerability was limited, it brought up questions about the industry’s reliance on certain legacy resources for validation.

On Dec. 14, the CA/Browser Forum (CA/B Forum) adopted a phased sunset for WHOIS-based methods of domain ownership validation after several months of discussion. But what do these changes mean to you as a domain owner and to the certification authorities (CAs) you rely on?

Let’s hash it out.

An Overview of What’s Happening & a WHOIS DCV End-of-Life Timeline

Updated Deadline-Related Information from Sectigo

Editor’s Note: This article has been updated on Jan. 8, 2025 to include updated information received via email from Sectigo about its phased rollout.

Industry leaders will begin a phased elimination of WHOIS-based DCV methods. As a result, the WHOIS protocol or HTTPS server query data will no longer be used as a way to 1) identify domain contacts, or 2) verify an entity’s control over a domain.

Phase One: Jan. 15, 2025

Basically, CAs will be prohibited from relying on domain contact info gathered through manual or automated WHOIS lookup methods. The sunsetting will affect three SSL/TLS security baseline requirements: 3.2.2.4.2 (“Email, Fax, SMS, or Postal Mail to Domain Contact”), 3.2.2.4.12 (“Validating Applicant as a Domain Contact”), and 3.2.2.4.15 (“Phone Contact with Domain Contact”).

Phase Two: July 15, 2025

This is the date by which publicly trusted CAs MUST NOT rely on any WHOIS-related domain validation methods to issue new leaf certificates or allow prior authorization reuse (even during a valid reuse period). In particular, this phase affects SSL/TLS BRs 3.2.2.4.2 and 3.2.2.4.15.

But wait, why does the article title say Jan. 8 if the first phase of the baseline requirement changes doesn’t begin until Jan. 15? It’s because some CAs are rolling out the changes ahead of the deadline to avoid any last-minute issues during implementation that could result in revocation.

Major CAs Are Implementing These Changes Ahead of the Deadlines

DigiCert and Sectigo announced that customers using WHOIS-based DCV methods should migrate to alternative methods ASAP. Here’s an overview of the company’s phased rollout deadlines:

 SectigoDigiCert
Phase OneJan. 15, 2025 — Sectigo’s first phase of the rollout will involve prohibiting the use of WHOIS-based email validation for .nl top-level domains.Jan. 8, 2025 — DigiCert will stop supporting manual and HTTPS web-based WHOIS lookups for domain validations and prior use authorizations based on these methods.
Phase TwoJune 15, 2025 — Sectigo will no longer support WHOIS-based email DCV and will invalidate any pre-existing DCV records. This means no certificates can be issued or re-issued using these unsupported WHOIS-based DCV methods.May 8, 2025 — DigiCert will no longer accept automated WHOIS-based domain validations/IANA referrals for new domain validations. It will, however, still accept WHOIS protocol-based DCVs.
Phase Three July 2025 — DigiCert will no longer allow the reuse of existing WHOIS-based domain validations of any kind, regardless of the time left in a reuse period.

Here’s a quick timeline graphic that shows the rollout of these changes:

Timeline illustration that shows the CA/B Forum's changes to the WHOIS domain control validation (DCV) process and the phased rollouts by DigiCert and Sectigo
Image caption: A timeline that illustrates the rollout of phased changes to the WHOIS domain control validation methods over the next 6 months.

For more information about Sectigo’s changes and timeline, keep an eye on Sectigo’s WHOIS Email DCV Deprecation page for updates.

What Does All of This Mean for Your Organization?

NOTE: This issue only impacts companies who used WHOIS contact data to get their SSL/TLS certificates issued.

This change will have little to no impact for the overwhelming majority of our customers.

If You Don’t Use WHOIS Data for Domain Control Validation

If a method other than WHOIS web-based lookups was used to validate your domain— for example, DNS TXT records, file validation, or constructed email (e.g., administrator@domain.com) verification — then this has no impact on you or your certificates. You’re right as rain and you don’t have to worry about any of these changes.

If You Did Use WHOIS Data for Your Domain Control Validation Process

If you used WHOIS-listed email address to validate your domain when getting a website security certificate, you’ll need to change validation methods when requesting a new SSL/TLS certificate. This is true even for customers who are within the allowed prior authorization reuse period.

The easiest method for most customers will be to use one of the “constructed” or pre-approved validation email addresses:

  • admin@yourdomain.com
  • administrator@yourdomain.com
  • webmaster@yourdomain.com
  • hostmaster@yourdomain.com
  • postmaster@yourdomain.com

Alternative methods of domain control validation include file and DNS-based validation methods:

  • DNS TXT records
  • DNS CNAME (canonical name) records that link an alias to one or more other domains
  • HTTP file authentication

Background: What Led to These Industry DCV Changes

TL;DR: An Overview of the Issue and Why Changes Were Deemed Necessary

WatchTowr Labs researchers discovered WHOIS systems using hardcoded legacy servers that allowed attackers to insert themselves as admin contacts for targeted domains. Thankfully, the WHOIS issue isn’t thought to be a widespread problem.

WatchTowr Labs researchers discovered that specific WHOIS systems relied on hardcoded server addresses, some of which were decommissioned (legacy) domains. Unfortunately, these systems were pointing to legacy domains that were up for sale. This gave whoever bought the domains (in the case, the WatchTowr Labs researchers) the ability to insert fraudulent email contact information in WHOIS server responses for domains requesting SSL/TLS certificates.

In this case, researchers bought the decommissioned domain dotmobiregistry.net (whois.dotmobiregistry.net), which should have been (but wasn’t) once a new server (whois.nic.mobi) was instituted. As such, the vulnerability would impact all domains with the .mobi top level domain (TLD), giving bad guys the ability to issue fraudulent website security certificates.

How Widespread Is the Issue?

Because WHOIS failed to renew the legacy domain dotmobiregistry.net, WatchTowr Labs researchers were able to take control and found the server was communicating with 135,000+ unique systems and received 2.5+ million WHOIS queries over a six-day observation period. That’s nearly 420,000 queries per day to the exploitable legacy system.

However, it’s important to recognize in this situation that not all WHOIS validations are innately flawed. Although WatchTowr researchers said the issues impact WHOIS queries, which historically have been sent by mail servers, several major domain registrars, and some CAs, the “only” affected domains were those with .mobi TLDs.

The key takeaway of the situation is that it brought to light the concern of relying on legacy WHOIS validation methods and outdated resources. It’s for this reason, and because WHOIS-based DCV methods typically are no longer used by most organizations, that industry leaders want to nip the issue in the bud once and for all and eliminate risks associated with these validation methods.

1 comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.