Home / Blogs

Fake Bank Site, Fake Registrar

In our continuing review of Rogue Registrars we have stumbled upon on a very elaborate fake banking site for “Swiss Bank” or “Bank of Switzerland” (bankofswissltd[DOT]com). To the casual Internet consumer this site probably appears legitimate, but a number of clues tip off the fraud. Phishing sites are everywhere so this does not immediately raise eyebrows until you review the Thick WHOIS record for bankofswissltd[DOT]com. According to the WHOIS this domain is sponsored by the “Registrar: Jolis Intercom”. The problem is that Jolis Intercom does not appear in the ICANN or InterNIC directory. Jolis Intercom is not an accredited gTLD Registrar. So what is going on? Jolis Intercom is a reseller for the Registrar Internet.BS, a Registrar coming under increasing scrutiny. We also found a fake Bank of Thailand on the same server.

In previous postings we have seen that Internet.BS exists completely in the shadows and now it is found they have their own domain reseller elevating themselves to the status of a Registrar by manipulating WHOIS records for the domains they control. This manipulation adds an additional layer of obfuscation and misdirection. A consumer or investigator attempting to validate whether or not this bank is real will be further confounded by the lack of a reliable Registrar contact to handle the situation. There is absolutely no reason why a reseller should be able to manipulate WHOIS in this way, it is unacceptable.

Resellers are companies which operate under a Registrar’s accreditation and are solely accountable to that Registrar. While KnujOn has expended considerable effort making Registrars more transparent and accountable, resellers are a far more insidious and unknown group of players in the Internet architecture. Resellers, in effect, act as Registrars and have the same access but none of the disclosure requirements intended to protect consumers. ICANN has no knowledge of who the resellers are or how many are in existence. More accountability of the domain resellers is part of the proposed changes to the RAA which are stalled in negotiations.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Garth Bruen, Internet Fraud Analyst and Policy Developer

Filed Under

Comments

GarthMaybe you are having issues reading whois, Michele Neylon  –  Mar 28, 2012 10:21 AM

Garth

Maybe you are having issues reading whois, but it’s very clear to me who the registrar for the domain is. From whois: Domain Name: BANKOFSWISSLTD.COM
  Registrar: INTERNET.BS CORP.
  Whois Server: whois.internet.bs
  Referral URL: http://www.internet.bs
  Name Server: NS1.THEG7.COM
  Name Server: NS2.THEG7.COM
  Status: clientTransferProhibited
  Updated Date: 12-aug-2011
  Creation Date: 12-aug-2011
  Expiration Date: 12-aug-2012

That clearly shows the registrar as Internet.bs

And as I noted elsewhere, .com uses “thin” whois, so I don’t understand why you are referring to “thick whois”, or maybe you are having more issues understanding how WHOIS works?

Regards

Michele

He's talking about the Whois record Kevin Murphy  –  Mar 28, 2012 10:54 AM

It's pretty obvious Garth is referring to the Whois record maintained by Internet.bs. http://www.internetbs.net/en/domain-name-registrations/whois.html?domain=bankofswissltd.com You may notice that the above link is to internetbs.net, which internet.bs bounced me to. That appears to be new behavior.

Yes, but.... John Berryhill  –  Mar 28, 2012 12:46 PM

...if one is using the WHOIS output from internet.bs, then it would seem that one has figured out the registrar already. The registry WHOIS for .com reliably identifies the registrar. Using a registrar's WHOIS to identify the registrar seems a bit odd.

Fair point. Kevin Murphy  –  Mar 28, 2012 12:51 PM

Perhaps http://whois.domaintools.com/bankofswissltd.com would have been a better example. I can't remember the last time I had did a two-step Whois lookup on a .com domain.

Some software does it automatically John Berryhill  –  Mar 28, 2012 3:18 PM

Because of the disparate output formats of whois data from registrars, there are some WHOIS tools which do the two-step automatically. Win32Whois needs additional TLD support, but spits out the registry and registrar whois along with IP data.

It depends on how the record is retrieved... Garth Bruen  –  Mar 28, 2012 1:06 PM

This is how the Port 43 Command Line results appear:

Registrar: Jolis Intercom Registrar's Website: http://www.jolis.net Domain bankofswissltd.com Date Registered: 2011-8-12 Date Modified: 2011-8-12 Expiry Date: 2012-8-12 DNS1: ns1.theg7.com DNS2: ns2.theg7.com Registrant Alexander Munobwa alexandernkrumah (at) yahoo dot com 59 Nkrumah Road 256 Kampala Uganda Tel: +256.0782285964
All you have done is point out how the two records differ, which is already discussed in the article.

The FULL port 43 whois includes the Michele Neylon  –  Mar 28, 2012 1:11 PM

The FULL port 43 whois includes the registrar name - as does any other port 43 whois record for any existing domain name even when the registrar's whois server is offline.

Not always Garth Bruen  –  Mar 28, 2012 2:32 PM

It depends on how you access it. The issue is inconsistency and specific misinformation placed in the record by a reseller with the authority of the Registrar. That's the problem, not the semantic distraction attempted here.

>That's the problem, not the semantic distraction Charles Christopher  –  Mar 29, 2012 4:38 PM

>That's the problem, not the semantic distraction attempted here. The the "issue" and "problem" is all the greedy folks that want their own personal copy of all registrant information. And want constant updates of that information. This then leads to whois metering AND many registrars "randomizing" field data so as to make it extremely hard t parse the data, thus discouraging everyone and their dog from continual harvesting of whois records. But please don't listen to a word I say, have a look at the .AU registry's statement about the problem: http://www.ausregistry.com.au/whois "To address user concerns about privacy and spam, and in line with international best practice, .au Domain Administration (auDA) has implemented Image Verification Check (IVC) for all email addresses on the web-based Whois service. The purpose of IVC is to prevent or hinder unauthorised access by automated data mining programs or scripts. For consistency, auDA has removed all email addresses from Port 43 Whois responses; users of Port 43 Whois will be referred to the web-based Whois service to access email addresses via IVC. Please note that there are restrictions in place on how many queries you can make. Your query limit is 20 per hour and 200 per day from the same IP address. If you exceed this you will be banned for 24 hours. " http://www.ausregistry.com.au/help/frequently-asked-questions/101-what-is-whois-blacklisting "What is WHOIS blacklisting? WHOIS blacklisting occurs when a person makes too many .au WHOIS Search enquiries (please see FAQ How do I find out if a Domain Name is available?). Blacklisting means that a person is banned from using the .au WHOIS Search service for a specified time period. The limit is 20 queries per hour from the same IP address. The ban lasts for 24 hours." This all said, and for the Registrars I represent, I personally would like to see Verisign move to the Thick Registry model. This would place the whois nightmare on the back of the registry, and it's response to these "issues" and "problems" will not so easily be misrepresented.

I personally would like to see Verisign Garth Bruen  –  Mar 29, 2012 4:44 PM

I personally would like to see Verisign move to the Thick Registry model.
Completely agree

Moving all thin registries to thick registries... Volker Greimann  –  Mar 29, 2012 5:01 PM

Where can I sign a petition for that? ;-) This has been a request of many registrars for a long time.

>This has been a request of many Charles Christopher  –  Mar 29, 2012 5:05 PM

>This has been a request of many registrars for a long time. Yes it has .....

>This has been a request of many Charles Christopher  –  Mar 29, 2012 5:10 PM

>This has been a request of many registrars for a long time. Ok, I'm going to say it: The moment Maxwell Smart gets rid of "KAOS" he's out on the street, jobless, and panhandling. What makes you think others want the problem solved?

But... Garth Bruen  –  Apr 1, 2012 1:45 AM

To be clear, this issue concerns two domain name records reviewed manually. You raise issues which are valid but outside the scope. High-volume WHOIS queries do not drive a reseller to insert a false name into the record.

I do not consider referencing a reseller Charles Christopher  –  Apr 1, 2012 4:01 AM

I do not consider referencing a reseller as "registrar" to be a "false" record. It's an efficient way to handle something Whois did not foresee. High-Volume queries cause some registrars to make their whois UNPARSABLE and thus inconsistant. This then leads into your wanting this to be easy for people, and it's not because of a different issue. They are linked. So, back to COM/NET implementing a Thick Registry and having to deal with the query overhead problems and metering. This then gives a predicatable standard as well. As an aside, I setup our COM/NET whois server to mimic Afilias' thick registry whois thus harmonizing with .ORG/.INFO/.MOBI/etc standard. I also have NO metering on our whois. I made it as easy as possible for people to read, and to scrape, except I add a long response delay. But you never mentioned that in your report, and you still beat us up on other things you did not like .... I can't think of anybody else that makes their COM/NET records so easy to read .... No brownie points for me. :(

er charles .. replying to you though this is garth's post.. the max # of replies possible reached.. Suresh Ramasubramanian  –  Apr 1, 2012 4:06 AM

Sorry but which registrar do you work for, that's non obvious here. Also - it doesn't really matter as much whether the registrar has thick or thin whois, as much as whether it has and enforces a reasonable AUP in a consistent manner.

I'm involved with several. If you'd like Charles Christopher  –  Apr 1, 2012 4:37 AM

I'm involved with several. If you'd like to contact me please go ahead and use the CircleID message system. Thanks! Thin / Thick DOES matter, for the many reasons I've stated in my posts here. John said it best: ONLY the regisTRY contains "authoritative" data, nobody else does. Thus you first need a thick registry. Next, you need to get rid of privacy whois. So long as you have privacy whois everything else is moot. Privacy whois is considered "correct" and yet it's useless. You then need to pierce it at the registrar to get the underlying whois. Then and only then, that's my personal conclusion after thinking about this over the years, can you perform a verification step. How to do this? I posted my suggestion elsewhere, some "out of channel" (non-internet) method such as a post card with an ID that must be entered into the registry (similar to the current transfer auth codes), via the sponsoring registrar. What I did not say is WHO intitiates such a process of the card being sent. Previous debates on this with peers leave me on the fence. I use to think the registry should do this for a fee, but now I'm not sure that is a good thing. But it seems to me to have to be the registry or the registrar, and to prevent harassment abuse I feel there needs to be a fee to initiate the process and the confirmation must not be repeatable without some time period. Perhaps mirror the 60 day registration and transfer hold period. In other words a new card can only be sent 60 days after the last card, but I think even that gets to be harassment. For example a competitor trying to trip up ones domains registration using this process. This is an ugly issue. And with some registrars now keeping their customers high traffic drops for monetization, I fear nefarious registrars using such a registrant ID process to nab registrants domains. Where is the check that the system itself is not being used maliciously?

No again Garth Bruen  –  Mar 28, 2012 3:03 PM

Clearly I know how WHOIS works or else I would not have known Internet.BS is the real Registrar. .COM is a thin registry, they only give out the Registrar info, the Registrar holds the Thick or verbose WHOIS record. A query made via a site like geektools cuts out the registry portion and goes right to the registrar's server and in this case it returns and displays the fake Registrar information. It merely shows at the top of the output "Checking server [whois.internet.bs]" which many would not know is the real registrar, especially when before it we see "Checking server [whois.crsnic.net]" which isn't the Registrar. If someone manages to discern from all this that Internet.bs is the Registrar and they perform a direct Port 43 on whois.internet.bs, that record will tell them the Registrar is Jolis Intercom. If they do a web-based query at Internetbs.net, that result will also tell them the Registrar is Jolis Intercom. It is telling that Registrars are here trying to distract from the real issue which is that a Registrar has allowed a reseller to obfuscate the WHOIS records of phishing domains. This is the game of Internet criminals, to hide and redirect whenever possible. And your argument is that it's not a big deal, it's ordinary. And that because we disagree on the use of terminology the issue is irrelevant. Fat chance, this is a real issue. And of course what happens when you make a complaint to a Registrar about this kind of issue? They blame the reseller, who is completely under their control.

If someone is doing a port 43 whois lookup.... John Berryhill  –  Mar 28, 2012 3:24 PM

...then that person has already identified the registrar. However, a registrant or technical service provider who needs to make a change to the registration data is best given a clue as to the reseller, where they can resolve the problem. So, despite the inelegant use of the word "registrar", what you are finding deceptive in one context may be positively helpful in another context. I believe that Tucows output states something to the effect of "registration services provided by (reseller name)" to provide that kind of a pointer.

I *think* Tucows also have a system Michele Neylon  –  Mar 28, 2012 3:33 PM

I *think* Tucows also have a system which lets you find the reseller by inputting the domain. In any case we, as a registrar, would be ultimately responsible for any domains on our accreditation.

Tucows was my first thought as well Charles Christopher  –  Mar 29, 2012 3:56 PM

Tucows was my first thought as well Michelle. For those not aware, Tucows is a "reseller" Registrar that was created to provide companies registry access for very low cost. And Tucows helped support individual branding, and scaling up to their OpenHRS system in which a reseller could move off the shared system (OpenSRS) and be a full ICANN registrar (including the high added costs). There are MANY THOUSANDS of hosting companies across the world running Tucows OpenSRS to provide domain registration services to their customers. Tucows has been extremely respected and was the founder of Afilias and original authors of Afilia's backend system. One might also point out GoDaddy's WildWest registrar was setup to address the needs of small businesses to have their own Branded registrar on a shared system. GoDaddy and others have followed the Tucows model and thus helped serve the ever growing need of small business, and increase competition for such services. And also as you said Michele, the idea that a reseller can run free in the wild is ridiculous. All requirements pass through to the reseller, by the shared registrar getting their creds yanked! The registrar is responsible for their domains not someone they call a reseller.

the idea that a reseller can run Garth Bruen  –  Mar 29, 2012 4:50 PM

the idea that a reseller can run free in the wild is ridiculous.
Not if the Registrar allows it. That's the key, it's completely at the Registrar's discretion and no one else.

>it's completely at the Registrar's discretion and Charles Christopher  –  Mar 29, 2012 5:24 PM

>it's completely at the Registrar's discretion and no one else. No, it's on ICANN at that point. For example, I disagree with Whois metering. But I'm a small private registrar so I have more options. My loading is rounding error in GoDaddy's whois server bandwidth calculation. To reduce our Whois loading and since all our contacts are the same I just said: Registrant, Admin, Tech and Billing: And then listed one single contact after that line. Seems pretty clear to me. ICANN did not agree and I was forced to break out each field individually. Further proof, registrars can't just allow resellers to do anything they want. Furthermore I started on OpenSRS / Tucows, and so I now know full well their contract with resellers CLOSELY follow the contract we singed with ICANN. I don't know what part of a registrar being solely responsible for their registrations you do not understand. I guess you want to take the position that a registrar does not care about ICANN pulling it's creds? Ok, well that's a problem ICANN will take care of, a position that will not last very long.

Not necessarily Garth Bruen  –  Mar 29, 2012 4:40 PM

...then that person has already identified the registrar
Hardly. If someone views the registry record and then queries Internet.BS via the web or Port 43, the Internet.BS results tell them the Registrar is someone else. There is nothing in the Internet.BS results that clarifies this. Now, you say someone should be able to figure this out. What I'm saying is that they shouldn't have to. It should be clear as day.

No. For example Moniker and GoDaddy's recursive Charles Christopher  –  Mar 29, 2012 5:04 PM

No. For example Moniker and GoDaddy's recursive whois feature CLEARLY returns the internic records, and thus the authoritative sponsor: http://www.moniker.com/pub/Whois http://who.godaddy.com/whois.aspx?domain=bankofswissltd.com&prog_id=GoDaddy For GoDaddy click on "See Underlying Registry Data". The information is there, and registrars make it available via their HTTP whois lookups. Is the average internet user sufficiently educated to know this? Probably not. Is the average person with just a little experiance tracing down domain ownership aware of this? YES. The people most likely to go after domain registrations know how this all works. And those that want to learn can spend a few minutes on Google to find out how. On Google I searched: domain registrar lookup And the first link was Network Solutions which I click on and was on their recursive whois lookup page. Here is there result: http://www.networksolutions.com/whois-search/BANKOFSWISSLTD.COM The registrar is more than clear without any additional clicks.

Now this is just silly.... John Berryhill  –  Mar 29, 2012 7:20 PM

"...If someone views the registry record and then queries Internet.BS..." Hold up right there. If someone views the registry record, then they have identified the registrar. Full stop. By stating the sequence above, you acknowledge that the ONLY record needed to identify the responsible registrar is the registry record. Because "If someone views the registry record and then queries Internet.BS" those two steps alone indicate (a) that someone has correctly identified Internet.BS as the registrar, and then (b) has moved on to query the registrar's WHOIS. This matters in more than one context. I don't know how common it is among various registrars, but I cannot count the number of headaches I used to run into by not checking at the registry level first. And this goes to the heart of "who is an authoritative source of information". The authoritative source of information as to what registrar is responsible for a domain name registration is the registry and ONLY the registry. A registrar is not an authoritative source of that information. Your objection here is that you are getting an answer you don't like to a question posed to a responder who is not, in the first instance, the authoritative source for the answer to the question you are asking. Yes, I can go into a Burger King and ask them what they think is the price of a hamburger at McDonald's, but it is an odd place to be asking the question. Where this has arisen, repeatedly, in my experience is in transfer issues and the latency time of registrar data. Registrar hygiene of their own WHOIS data is under their control, and there are some registrars which will maintain stale WHOIS data for names that have been long transferred out of them. Because I deal in a lot of domain transaction issues involving verifying that transfers have occurred, maybe our difference in perspective is a consequence of what we typically use WHOIS data to accomplish. But when I have a situation where a domain name is under contract to be moved from registrar A to registrar B, I certainly don't check the WHOIS at registrar A to find out if that has happened. The reason is that registrar A might keep that WHOIS data for days, weeks, or even months AFTER the registry has already begun reporting that the domain name is under the control of registrar B. Hover, in particular, was notorious for this up to the point of sending out renewal reminders for domain names long transferred out. I don't know if they've fixed that since I encountered problems with it or not. Maybe its just habits of mind when it comes to how one sources and evaluates information. The registry is the sole authority on what registrar is responsible for a domain name. So the correct source of information on that question is the registry. No registrar is authoritative on that question, so that is why you are getting this sort of reaction along the lines of "why are you asking a non-authoritative source in the first place?" because relying on ANY statement by a registrar as to which registrar is responsible for a domain name is an exercise in seeking a non-authoritative and unreliable answer - by definition of who is authoritative for what information.

>And this goes to the heart of Charles Christopher  –  Mar 29, 2012 8:04 PM

>And this goes to the heart of "who is an authoritative source of >information". The authoritative source of information as to what >registrar is responsible for a domain name registration is the >registry and ONLY the registry. That needs to be on a t-shirt, poster, banner, and a movie ... Thanks John! :) >and there are some registrars which will maintain stale WHOIS >data for names that have been long transferred out of them. I know you know this John, but for others: There is no EPP command to see what domains a registrar has in its registry account. Now please go back and read that sentence again. Thus there is no ability for a registrar, at a given moment, to "sync" with the registry. There are weekly reports generated, but they are for a moment BEFORE they are posted. Synchronizing databases of two independent organizations is not fun, espically with no "sync command", nor is it possible at any given moment. There are always errors. For these and many other reasons, a registrar gets out of sync with the registry. How do you solve this as related to whois: Implement a THICK REGISTRY model. This takes away a nasty issue we can't solve. As John said we are NOT the authority.

>Hover, in particular, was notorious for this Charles Christopher  –  Mar 29, 2012 8:21 PM

>Hover, in particular, was notorious for this up to the point of >sending out renewal reminders for domain names long transferred >out. I don't know if they've fixed that since I encountered >problems with it or not. It's not fixed, unless I missed a memo somewhere. :) I've got a domain right now that I transfered in and losing registrar is still sending renewal emails. The only way to do it that I know of is running the published reports once per week, which means up to 7 days for a cleanup task to run and catch it. Or constantly run checks of all your domains, which I don't think the registries would like, nor is this even possible for the big registrars to do. The registry servers would grind to a halt, and yes I have seen this happen for similar situations. This is an EPP protocol issue, so it occurs on all registries. And it's not even reasonable to create an EPP sync command, it would have to be done "out of channel". That then means it could not be done "perfectly". So the current report serves the need but perhaps could be published each day versus once per week. It's all about error conditions. Systems never work perfectly. And some error conditions are a nightmare to fix. Moving to a thick registry does not "fix" this problem, it eliminates a problem that in turn is creating another problem: The idea that the registrar is authoritative.

Assumptions Garth Bruen  –  Apr 1, 2012 1:39 AM

You are assuming that everyone knows the difference between a registry and a registrar. As you say, you do many domain transactions, you live squarely in this universe so you would know. I am constantly contacted by law enforcement who are befuddled by the completely unclear record structure.

The answer here is moving COM/NET to Charles Christopher  –  Apr 1, 2012 3:45 AM

The answer here is moving COM/NET to the thick registry model. This generally harmonizes whois, thus making it more likely that the most number of people know how to properly use it. Registrars will still using the fields to "misdirect" customers to reseller accounts, and Law Enforcement is still going to be confused. They will eventually figure it out, just as we all have. And if the problem is REALLY that bad, then perhaps you should have somebody build a site for you that you can direct them to to obtain the info they are looking for. This is after all fully automated now, otherwise the system would not work.

Whose port 43 did you check? Thomas Barrett  –  Mar 28, 2012 2:29 PM

Perhaps you could provide us with which registrar’s Port 43 you checked to retrieve this record?

Already answered above but here's another example... Garth Bruen  –  Mar 28, 2012 3:07 PM

We of course filed a complaint against this domain. When a complaint is filed with ICANN their system sends you a current copy of the WHOIS record. NOWHERE in the ICANN response does the term “Internet.BS” appear, so they’re not even really sure. Below is the full WHOIS record sent by ICANN:

############################################

Domain: bankofswissltd.com

Submitted: Sun, 25 Mar 2012 20:43:50 PDT

############################################

WHOIS INFORMATION AS OF Sun, 25 Mar 2012 20:43:50 PDT

Registrar: Jolis Intercom
Registrar’s Website: http://www.jolis.net

Domain bankofswissltd.com

Date Registered: 2011-8-12
Date Modified: 2011-8-12
Expiry Date: 2012-8-12

DNS1: ns1.theg7.com
DNS2: ns2.theg7.com

Registrant
Alexander Munobwa alexandernkrumah (at) yahoo dot com
59 Nkrumah Road
256 Kampala
Uganda
Tel: +256.0782285964

Administrative Contact
Alexander Munobwa alexandernkrumah (at) yahoo dot com
59 Nkrumah Road
256 Kampala
Uganda
Tel: +256.0782285964

Technical Contact
Alexander Munobwa alexandernkrumah (at) yahoo dot com
59 Nkrumah Road
256 Kampala
Uganda
Tel: +256.0782285964

Registration service provided by:
Jolis Intercom
Plot 22 Namanve, P.O. Box 22930
Kampala,EA,UG 256
.(JavaScript must be enabled to view this email address)
+256.752567374
http://www.jolis.co

############################################

"NOWHERE in the ICANN response does the term "Internet.BS" appear, so they're not even really sure." John Berryhill  –  Mar 28, 2012 3:38 PM

But since that output was obtained by the port 43 WHOIS mechanism, they must be sure.

John - exactlyThere is no way for Michele Neylon  –  Mar 28, 2012 3:42 PM

John - exactly There is no way for ICANN, or anyone else, to serve up the WHOIS data for a .com without the registrar's whois server doing the work and without them actually contacting it .. which assumes knowledge of whose it is and where it is located

It's a common problem John Berryhill  –  Mar 28, 2012 3:50 PM

I used to look at those tourist maps displayed in various cities with the red dot labeled "You are here" and would wonder, "How do they know that?"

"Wherever you go, there you are" Garth Bruen  –  Mar 29, 2012 4:42 PM

"Wherever you go, there you are"

"WHOIS record sent by ICANN" Volker Greimann  –  Mar 28, 2012 4:19 PM

... is ICANN's problem. But seriously: While I agree that it is not helpful that ICANN omits half the WHOIS data, that data is not required for the complainant to check if his complaint is correct as his complaint is only meant to be about the WHOIS data of the registrant, and not about the data of the company the registrant used to register his domain names with. As John and Michele explained before, the user of the WHOIS complaint form already knows the registrar from completing a complete WHOIS search in the first place. It is absurd to assume the response to his complaint is all the complainant will see, simply because to make the complaint about the data in the first place, he would have had to look for the full (not thick, btw) data (and find a defect in that data) prior to making the complaint. If on the other hand the complainant is using the WDPRS to complain about an issue not relate to the WHOIS data of the registrant, he is frankly abusing the system. That said, showing the reseller name in the WHOIS data in addition to your own data is perfectly acceptable as it helps a user to find out more about the domain and how it was registered (and even complain to the registrar about reseller inaction, if necessary). While it can be argued that calling the reseller "Registrar" is not the best of all ideas, most registrants do not make the distinction between registrar and reseller either.

It's everyone's problem Garth Bruen  –  Mar 29, 2012 4:33 PM

It is absurd to assume the response to his complaint is all the complainant will see, simply because to make the complaint about the data in the first place, he would have had to look for the full (not thick, btw) data (and find a defect in that data) prior to making the complaint.
It's not "fake" registrar data. The authoritative Charles Christopher  –  Mar 29, 2012 5:44 PM

It's not "fake" registrar data. The authoritative registrar is avialable as already pointed out. If a reseller's business gets forced into the sponsoring registrar's support system, the entirety of the resellers business is destroyed. A domain registration generates perhaps $1 to $2 of revenue per year. The economics of that should be obvious. Any reseller support moved to the sponsor quickly racks up business losses for the sponsoring registrar. I'll give you all a hint, that very tiny markup tells you more about what drives this industry than anything else. When you look at these issues, and yes assuming the entities being discussed are honest, ponder how that low revenue would influence the situation and you'll likely on your own figure out what is really going on and why. If you have one domain at a registrar, and call up for support, when that support call ends how much do you think that call cost relative to what was made from your registration? That call likely resulted in total loss of revenue for your single registration. I have a very similar problem. We lease out or connections to other registrars as part of thier drop catch pools. From the ICANN perspective, their domain registrations are MY PROBLEM and NOBODY else. However, our lease relationship is that none of these registrants are mine. This can be very ugly if I lease to the wrong entity, they can literally kill my registrar and create huge liability - Which is why our lease roughly says "Do anything to threaten our registrar and I'll yank your access immediately!" However I have to setup those registrar websites in a way you claim is "fake". I must do this because I need their registrants to go to their website for support and domain administration. I'd lose money if their customers came to me. This is exactly the same as what you are talking about. Again, this is how the industry works Garth. In my case I have the liability of keeping a registrar up and running, and others have access to those connection on demand. They pay a little extract for this, just as a reseller pays the sponsor a little over registry reg fee. You are throwing the baby out with the bath water ....

I need to add one more thing Charles Christopher  –  Mar 29, 2012 6:08 PM

I need to add one more thing to my above post. While it changes with time, you'll find that an enormous number of current ICANN registrars are NOT independent registrars, they are in fact part of registrar pools operating under a different name which itself is usually the primary registrar. Now that said, each of those registrars will be a seperate corporation, but there will be a corp they all operate under. In other words the entire "reseller abstraction" is mirrored in these registrar pools. So nothing I've said above is news to anybody that has involvement with registrars, but it's something that very few others are even aware of. At times I think the total number of freestanding registrars might have been as few as 1/3 of the total registrars. In other words maybe as many as 2/3's of the registrars were directly related in some way, via a much smaller number of groups. And yet the industry has thrived with this happening. At one time one catch pool had as many as 250 registrars working together as "one registrar". This again shows how "pushing" a registrant else where through whois is a necessary part of profitable operations, and why it's not intrinsically evil to do it. I need to say these things because, Garth, you create a huge problem for me and others by seeding such ideas in the mind of others. That it's wrong for us to use the whois to remind customers where there admin panel is located. For the most part few care, and if they do care then they know well how to transfer the domain where they want it. They just want to make sure they can manage their domains when they need to and it gets renewed when they pay renewal fees.

Rather than "stumbling" John Berryhill  –  Mar 28, 2012 5:53 PM

By the way, while you have “stumbled” onto this one, you might consider submitting it to the fake bank database at http://db.aa419.org/fakebankslist.php .

Hosted by Internet Systems Consortium, aa419.org publishes an RSS feed of fake banks, so that ISP’s and other technical service providers can take a variety of actions in relation to them, in order to protect their customers.

They don’t even charge the sort of “consulting fee” that some self-styled internet security experts do.

It's only stumbling in the sense that Garth Bruen  –  Mar 29, 2012 4:57 PM

It's only stumbling in the sense that it wasn't the original objective of the research that found it. I regularly report to and coordinate with anti-phishing efforts.

Okay, so other than sending a whois report to ICANN... John Berryhill  –  Mar 29, 2012 7:02 PM

...what other steps did you take to alert browser plug-in maintainers, security software updaters, etc. of this site. When I stumble across these sorts of things, I report them to aa419.org, which gets them into the bloodstream of numerous parties who can prevent the users of their software from similarly stumbling upon them. The response time of this network which, yes, includes registrars can be pretty quick, and a lot quicker than any legal mechanism such as a contract compliance action.

Ugh. Everyone of consequence from the ISP Garth Bruen  –  Apr 1, 2012 1:43 AM

Ugh. Everyone of consequence from the ISP to the banks was notified. The issue here is the insertion of fake Registrar data. You're trying to change the subject. It's not just about this particular website, Internet.BS allows free reign to change the details of the WHOIS by its resellers.

Garth, I detailed this out for you.This Charles Christopher  –  Apr 1, 2012 3:40 AM

Garth, I detailed this out for you. This is done to keep costs low and maximize efficiency of resellers sharing registrar accounts. The more people involved with domain names the better off we all are. That mean "clueless" registrants they need to be directed based on the terms they are aware of. The true sponsor is totally available.

Same operator as phony "Bank of Thailand", and tied to malware site in Moscow. John Nagle  –  Mar 28, 2012 8:45 PM

It’s the same operation as the phony “Bank of Thailand”.  Some of the pages even use the “Bank of Thailand” name. 

There’s a link within the site that leads to “desk-airline.ru”, a known malware site hosted in Moscow. But that site is down, not currently in DNS.  So this phony bank site doesn’t seem to be doing much.  There’s also a link to “cdredret.ru”, which is also not in DNS.

UCSB’s malware scanner reports an exploit on the site.  It attacks using Internet Explorer’s willingness to run Microsoft Help files.  Other than spread malware, the site doesn’t seem to do much. The “apply for an account” page gives you a non-interactive PDF form to print and fill in, but provides no address where it could be submitted.  It may have been created to support some other scam that required a bank web site.

Hosting is at “theg7.com”, in Germany.  I’ve notified them.

Looking at the Whois information of fake sites is generally pointless.

John Nagle
SiteTruth

Looking at the Whois information of fake Garth Bruen  –  Mar 29, 2012 4:34 PM

Looking at the Whois information of fake sites is generally pointless.
Isn't that a sad state of affairs.

Then be part of the solution John Berryhill  –  Mar 29, 2012 7:50 PM

In the context of the RAA negotiations, one of the points has been to verify the identity of a domain name registrant. One suggestion made was to obtain such information as driver's license, social security numbers, passport numbers, etc. However, this information is useless to a registrar who has no way to confirm that information. I can require someone to provide what they purport to be a driver's license number, but I'd love to know what it is I'm supposed to do with an N digit number, the veracity of which I have absolutely no way of determining. Accordingly, what we need to do is to work together in order to mandate that government bodies which issue identification documents must open up their databases to registrar verification of those identification documents. Then - problem solved. As a targeted alternative, though, what would be much more effective is to require criminals to register themselves and to be issued an official criminal identification document prior to registering domain names and engaging in crimes. Then, when a domain name is used in a crime, then it can be readily confirmed that the domain name was indeed acquired by a duly registered criminal. While there has been a focus on, for example, credit card information used to initially register a domain name, I figure it will be at least several months before those focusing on credit card information will begin to realize that there are several pathways to domain registration which do not involve a credit card transaction in the first place. When, for example, a domain name is registered for a term of several years, that domain name can change hands several times from that initial registration, without one dime going from the current registrant to any registrar. Various permutations of these scenarios figure prominently in any of several domain hi-jacking schemes. However, in a society in which a fair number of people still cannot figure out where the President of the United States was born, there is not going to be any authentication strategy which satisfies everyone.

Identity verification is standard in the CA industry. John Nagle  –  Mar 29, 2012 8:29 PM

The Certification Authority and web browser industry is addressing user validation right now. There was a break-in at DigiNotar, and the attackers were able to issue fake SSL certificates for major domains. The problem was dealt with harshly. The Mozilla Foundation (the organization behind Firefox) pulled DigiNotar's root certificate out of their browser. This immediately invalidated the SSL certs of all DigiNotar customers, legitimate or not, when seen in Firefox. Microsoft and Google followed suit. DigiNotar was bankrupt within two weeks. In the CA world, there are audits by external auditors. The rules for those are being tightened, as are the rules for verifying the identity of parties requesting SSL certificates. See "http://www.cabforum.org". The basic rules have been agreed on by CAs representing over 94% of the SSL certs in existence. CAs that don't get on board by July 12, 2012, will probably be locked out of major browsers. The new rules can be seen in section 11 of "http://www.cabforum.org/Baseline_Requirements_V1.pdf" The CA SHALL verify the identity and address of the Applicant using documentation provided by, or through communication with, at least one of the following: 1. A government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition; 2. A third party database that is periodically updated, which the CA has evaluated in accordance with Section 11.6; 3. A site visit by the CA or a third party who is acting as an agent for the CA; or 4. An Attestation Letter. Databases for verifying business existence and ownership are available. Dun and Bradstreet's Public Record Service, for example, offers them. Domain registrars should require a similar form of validation. If a domain is purchased for a business, the registrar should verify the identity of the business at least by 1) checking that the business has a valid legal existence (corporation or D/B/A name), and 2) that paper mail sent to the address of the business reaches the registrant. It would be sufficient to mail a letter with a passcode to the WHOIS address; until the passcode is entered on line, the domain doesn't go into DNS. If a domain is purchased by an individual, the name and address data for the domain should be that associated with the credit card used to buy the domain. There's pressure on ICANN to clean up the registrars, especially since ICANN has to convince the Department of Commerce to renew their contract over the next few months.

>Domain registrars should require a similar form Charles Christopher  –  Mar 29, 2012 8:46 PM

>Domain registrars should require a similar form of validation. I hate "Show my your papers!" and guilty until privon innocent ... And watch the price of domain registrations EXPLODE, and for nobodies real benefit. For example I could create a business to register domains using your process and then transfer / push the domain to someone else. The internet is the success it is BECAUSE of low registration fees. Dramatically increase fees and internet freedom is over. Of course I know some would love to see just that.

Outsource ID verification The Famous Brett Watson  –  Mar 30, 2012 3:10 AM

Domain registrars should require a similar form of validation.
What about requiring that registrants have a digital certificate as part of the transaction? This makes the cost of verification an external cost, borne by the consumer. CAs are supposed to be in the business of identity verification, so why not let them do it, just to externalise the problem? Not only does the cost of verification become separate from the cost of domain registration, but the cost of verification can be paid once for many domain registrations. I have mixed feelings about this approach, but I think it's an obvious possibility, and I'm curious as to why I never see it raised as an alternative. I mentioned it in one of Garth's previous articles, but nobody took the opportunity to discuss it.

What about requiring that registrants have a Garth Bruen  –  Apr 1, 2012 1:50 AM

What about requiring that registrants have a digital certificate as part of the transaction? This makes the cost of verification an external cost, borne by the consumer.
If the domain is intended to be used for commercial purposes, absolutely. If someone claims it is for "personal" and then starts selling pills, software, or pretending to be a bank - then they have violated the agreement, domain suspended.

A neighbor down the street has a Charles Christopher  –  Apr 1, 2012 4:16 AM

A neighbor down the street has a one man shop, his own garage. He put up his own website up, mostly a business card website. He's trying to keep his costs as low as possible. I was impressed, he did a nice job. He just kept at it over time making it look nicer. There is no way he's going to be able complete a certificate process himself, nor should he be burdened by a cert he does not need. You just placed a significant, and unacceptable, barrier in front of him and all like him. Why it is nobody thinks of small business anymore? Everybody thinks all businesses are ones loaded with geeks that can bit-bash boat loads of bits in their sleep. And what happens when a child does the lemonaid stand version of a website, perhaps using ebay and paypal? The kid's reward is having the family domain name yanked. What about other monetization, such as PPC? How about affiliate programs? What about people selling banners on their site? PLEASE stop treating everyone like criminals, that everybody is guilty until proven innocent. Thank you! Again, to advance our industry we need to make everyone as low in cost as possible, and as easy as possible. And yes, this gives bad guys a place to hide. Guess what? There will ALWAYS be places for them to hide, ALWAYS. Solutions must minimally affect the good folks, of which most registrants are.

I've felt a process of whois verification Charles Christopher  –  Mar 29, 2012 8:39 PM

I've felt a process of whois verification would be the way to go, but that then means privacy whois must go away. And I would like to see privacy whois go away. As I've said in other threads, there are other options for privacy whois, such as Post Office Boxes or use of a lawyer's office. Conceptually, an ID number on a post card is sent to the address in the whois. That ID must be entered into the registrants registrar admin panel. This process is only initiated for a fee, to cover costs and reduce noise. After some time, and retry attempts, the domain is dezoned (not deleted, thus forcing a response if they want their domain to be useful). Same can be done via email or phone. This to is imperfect, but at least is allows the actual posted whois to be tested at any time. The check is valid for some period of time so folks can't abuse this by hammering a registrant with whois checks. The registrant can't obtain the ID except though the communications paths articulated in the whois. Thus the whois itself is verified.

Anonymous businesses John Nagle  –  Mar 29, 2012 9:05 PM

As I've said in other threads, there are other options for privacy whois, such as Post Office Boxes or use of a lawyer's office.
Anonymous businesses are illegal in many jurisdictions. (See "Regulatory and compliance docs on our "http://www.sitetruth.com/doc/"). In the US, you can rent a P.O. Box and not have the ownership disclosed without a subpoena. (That info used to be available on request, but that's no longer the case.) You can register a D/B/A name. You can form a corporation. What you can't do is transact business as an anonymous party.

>In the US, you can rent a Charles Christopher  –  Mar 29, 2012 9:26 PM

>In the US, you can rent a P.O. Box and not have the ownership >disclosed without a subpoena. (That info used to be available >on request, but that's no longer the case.) Perfect. If I'm not doing anything wrong then go away and leave me alone. If you want to verify this address is associated with the domain, fine, do it. Thus you KNOW this is the POB box to get the subpoena and can prove it to get the subpoena. I want people to have privacy and I think today's society offers many ways of doing that, and allow you to verify my registration detials, while making sure you are not a psycho showing up on my doorstep. :) To flip this around, privacy whois also denies the registrant an internet fingerprint of control of the domain. In other words if you have a domain using privacy whois, and I steal it from you, but don't change the DNS, you will have no idea you lost control. If I can quickly transfer that domain to another registrar, one outside your country and not speaking your language, have fun getting it back as you can't even prove it was yours. This then leads into my desire for registries to offer a paid "WhoWas" service. For a fee you can pull the complete registration history of a domain name. The fee is the carrot for registries to implement such service, and I suspect it's use will generate FAR more revenue that the registrations themselves .... I just keep seeing evidence that privacy whois causes more problems than it solves and other solutions are available.

Garth, how can you possibly use the Charles Christopher  –  Mar 29, 2012 4:28 PM

Garth, how can you possibly use the word “thick” and “thin” registry model, while at the same time completely ignore what those terms mean when stating your case?

As John points out, “You Are Here” is on the map for a reason.

For those not aware of these terms:

Thick Registry:

This is the “new” registry model. There is one single server in the “whois hierarchy”, and the registry itself provides the entire response. The registrar DOES NOT return the whois result for these queries. The registrar can edit SOME, not all, of the data this whois response via “contact records” in the registry database. In effect the Whois response is an expression of the domain’s state in the Registry Database at that moment.

Thin Registry:

This is the “old” whois system, still implemented by Verisign and used for .COM and .NETs. The difference from “Thick” is simple, the Verisign backend does NOT have “contact records” and thus the registry has no clue of domain “registrant” information and this is left to the registrar to provide.

However, the Verisign registry does form the beginning of the whois hierarchy, which is two levels deep, or “two steps” as stated by others above. We registrars, via the Verisign Admin Panel, tell Verisign the NAMED LOCATION of our Whois server.

So now lets review what that means, how this works. When you look up the whois for a .COM or .NET, you go to the “root” whois server, which does not return a whois response but instead returns THE SPONSORING REGISTRAR AND THE NAMED LOCATION (ULR) OF ITS WHOIS SERVER. Thus at that step, without doing ANYTHING ELSE, you KNOW who the registrar is. You may now use that server name and query the “whois” from that server. Since the registrar provides this result they can return the result as they wish, however there is a minimum set of fields required based on their ICANN contract.

And for those still not clear about what I’m saying, no problem. If you ever what to know the sponsor of a .COM or .NET domain name just go here (make sure “Domain” is selected):

http://www.internic.org/whois.html

And look what we get:

  Domain Name: BANKOFSWISSLTD.COM
  Registrar: INTERNET.BS CORP.

<---------------
Whois Server: whois.internet.bs
Referral URL:

http://www.internet.bs
  Name Server: NS1.THEG7.COM
  Name Server: NS2.THEG7.COM
  Status: clientTransferProhibited
  Updated Date: 12-aug-2011
  Creation Date: 12-aug-2011
  Expiration Date: 12-aug-2012

Internic pulls directly from the Registry for you. No special tools needed. It returns the “first step” values.

@Volker Garth Bruen  –  Mar 29, 2012 5:04 PM

Where can I sign a petition for that? ;-)

This has been a request of many registrars for a long time.

I will be happy to raise the issue within At-Large

There's no need - I think there's Michele Neylon  –  Mar 29, 2012 10:25 PM

There's no need - I think there's already an ongoing issues report and possible PDP on the subject as a result of the IRTP-B final report.

Sigh Garth Bruen  –  Apr 3, 2012 1:18 PM

Once again I'm being told not to talk about an issue and that everything will be fine. Fat chance.

GarthIf you're responding to me then I'm Michele Neylon  –  Apr 3, 2012 1:29 PM

Garth If you're responding to me then I'm really confused. I merely pointed out that the issue had already been raised and that there should be a PDP on the subject of thick whois I don't honestly see how that can be classed as telling you not to do anything. Regards Michele

Speaking of whois accuracy checking by registrars Suresh Ramasubramanian  –  Mar 31, 2012 1:44 AM

What do you think of the SOCA 5Cs whois validation model?  Garth, especially you - would love to hear your thoughts.

http://news.dot-nxt.com/2012/03/12/five-cs-whois-validation-model

>What do you think of the SOCA Charles Christopher  –  Mar 31, 2012 2:47 AM

>What do you think of the SOCA 5Cs whois validation model? >Garth, especially you - would love to hear your thoughts. > >http://news.dot-nxt.com/2012/03/12/five-cs-whois-validation-model Its a rather extreme example, since I am a registrar, but it's very much like consultants manageing domains and websites for customers. I'm been involved with a local not for profit going on 14 years. I sponsor their domain names in one of my registrars. The whois has little to do with me, and if I were not a registrar I'd set it up the same. Thus, I think, that whois would fail those tests. I've seen too many consultants screw customers over bu holding that customer's domain hostage when they want to use someone else to manage their site. So in effect, the whois matches the person "paying" for the domain but that person is not who *I* would consider the registrant. And yet all the whois if is "correct". Fearing the above, or something happening to me, I take the opposite approach and have all the contact records trace back to the organization. And yet that info is all "wrong" relative to me as I am the one paying (I never asked to be reimbursed) etc. I'd very common for domain whois info to be very different than who I would consider the true "enduser" or "registrant" of the domain. And in many cases that is good because the "right" person is so clueless they should not be on the contact list. These things come back to Professionalism, a word I hardly see used these days. Back to my feeling that we need to stop entertaining the cost burden of "Guilty Until Proven Innocent". If most people were bad, or even a lot of them were, then the internet would never have gotten where it has. We need a surgical knife for the bad guys. As best I've been able to come up with that is "out of channel" whois verification (which your link shows) AND no more privacy whois. The lack of privacy whois does create a regretable cost burden on some registrants, but I've not been able to think of a solution to that. They need to get a POB or use a lawyer, etc. Bottom line if you put a letter in the mail to the listed address it MUST be received by the registrant or their legal rep.

Oh, I keep forgetting to mention this.You Charles Christopher  –  Apr 1, 2012 5:35 AM

Oh, I keep forgetting to mention this.

You folks suggest the registrar checks a cert for a domain registration.

So who issues that certificate?

The typical registrant will know nothing about certs and thus will purchase the cert at the registrar, thus all registrars will provide a cert service. However, all certs are not equal. The registrar will want to provide the best experiance for the registrant (and grab money ASAP), and thus will “validate” the Credit Card info (most likely) then immediately issue the cert. From the registrant’s perspective they received nothing of value to them, but paid an extra, and high, fee.

To make this as smooth as possible, there will be pressure on the registrar to generate the private key, sign it, then give the registrant the private key (then deleted) with the cert just to make the process simple and painless. This is true since most registrants will never use the cert. Again all certs are not the same. Sure you can create a best practice procedure, but in effect the problem was not solve it was just made more complex and diffuse so nobody knows what the real problem is anymore nor how to solve it. Yes I know having the CA generate the private key is completely wrong, but it’s economics. And if you use policy to stop this then for $600 the registrar creates another corp, that is a seperate server in their server rack, to process the cert. So we assume this is all fine because the server on the top of the rack is the CA, and the one on the bottom generates the private key for the client. This hurts my head just thinking about it.

And when peoples laptops need a new OS install that cert they forgot about will likely be gone. Or worse yet, it will still be sitting on their email server for others to try an nab, with it’s private keys, say the malware you are trying to stop. At that point, just to service non-tech people, SSL certs value will decrease markedly.

If you require a third party to produce the key you’re back to creating a barrier that will damage the industry. But then you have another problem. The registrar will need to register the domain BEFORE the cert process can start since that is what the cert is validating. Now the registrar paid the reg fee, but the cert process fails. The registrar can’t provide access to the domain, but paid for the domain. If this happens within 5 days the registrar gets a refund, but only if that does not happen often. The number of states to manage to register a domain and get it into the customer admin panel just turned into a nightmare, assuming it gets there.

So we go form law enforcement not knowing where to find registrar data, to new registrant having to make a car payment equivlent to register a domain name. And then keep renwing the cert how often? How often do you want to make sure their info is still valid?

Clarifications The Famous Brett Watson  –  Apr 1, 2012 8:27 AM

You folks suggest the registrar checks a cert for a domain registration.
"You folks" is just me at the moment. I'm happy to take sole responsibility, and I stress that I'm not advocating this idea, just using it as a point of comparison. Your post contains a number of valid points, but also some misconceptions. Some of your misconceptions are based around the idea that this would be a domain name certificate, like those used for SSL. This is not the case. The data points being certified are the registrant's contact details, as would appear in the Whois record. The CA merely certifies that communication with the registrant is possible using these details. This is what registrars or their agents are supposed to do now, but they have economic incentive not to do so. Your points regarding the inability of the average person to handle a digital certificate are well made, but a slight change in strategy will address them. Certification does not require a stand-alone digital certificate: it can take the form of an online service, just as the OpenID standard can be used for authentication. This suggests that the CA model work as follows. 1. The user creates an account at the CA (for a fee), providing the contact details which are to be verified. 2. The CA undertakes the verification process, confirming that codes sent to the user via the contact mechanisms are correctly fed back into the account. 3. Once the data is verified, the user can simply cite this account ID (possibly in the form of an email address) when registering a domain name. 4. As part of the domain name registration process, the registry will request the contact information from the CA. The CA can confirm this relationship with the account holder before releasing the data. Note a couple of things about this. For one, there is no particular need for the registrant's contact details to be made public, or even revealed to the registry: so long as the account ID is public, appropriately authorised parties can obtain the details from the CA. The whole of Whois could be reduced to a single account ID per domain, and published using a DNS-like protocol. For another, the CA can still provide a traditional digital certificate to the user: should the user want one, he need only upload the appropriate public key, and the CA can send it back in a signed certificate, with the other (verified) details. The question of how to verify these details is, I think, relatively uncontroversial: use random confirmation codes and a closed loop. The question of how often to confirm them is a matter of policy. The time of last confirmation could form part of the available data. The cost may not be all that significant. Companies like Google and Facebook may even be prepared to offer the service gratis, since they obtain verified personal data for their efforts, and they seem to consider that kind of thing valuable. Compromised accounts will be a problem. Then again, they are already a problem. At least this kind of service naturally offers several out-of-band communications mechanisms which could be used to detect and thwart such compromise.

There are links in this thread that Charles Christopher  –  Apr 1, 2012 4:57 PM

There are links in this thread that clearly show the idea of using certs is being discussed outside this thread. You are not alone.

>Some of your misconceptions are based around the idea that this would
>be a domain name certificate, like those used for SSL. This is not the case.

Then someone will make a business out of using their “personal” certificate to register domains and than sell a copy of that cert with the domain name.

Thus the cert MUST tie to domain to the registrant, otherwiss again, the problem just got moved to an entirely different problem. And it increased costs and complexity WITH NO REAL BENEFIT. Furthermore the cert implies a certification life time FAR beyond the 60 days I have suggested, thus again making it a Rube Goldberg exercise.

I suggest anytime we take a “guilt until proven innocent” stance, that is all that will happen, the problem will not be solved it will just diffuse into something uglier. The resulting complexity attracting ever more complexity ... And it has been my observation that complexity creates even more places to hide.

>Note a couple of things about this. For one, there is no particular
>need for the registrant’s contact details to be made public, or even
>revealed to the registry:

For me there is. I’ve been involved with domain names since about 1999.

I always have concerns about domain theft. I consider it of great value to have a registrant’s association with a domain and having that finger print across the internet. When a domain gets stolen from your very impersonal brain dead automagic EPP backend system, you want something external to PROVE it was your domain registration!

And I’ll just add, I to had domain at RegFly during their theft of customer domains. I was one of the first kids on the block to have my own personal domain monitoring system which I used for my domains and domains I was interested in. That system is what alerted me to the problem at RegFly well over 1 year before the take down. I called them up and asked why they keep changing my whois to some student with a .EDU email. They kept saying sorry, its a bug. The third time was enough, I transfered out and got on the forums to warn people.

Addtionally, I’ve seen registrar take peoples money to renew domains, and not renew the domains. They use this “bug in there system” to force domains into their auction systems. Why? becuase it’s enormously more profitable to auction a customers domain than renew it.

Yes folks this stuff IS all related. Welcome to hell ....

>The cost may not be all that significant.

As I already have said in detail, registrars profits are based on a $1 to $2 markup of each domain. One single support call WILL wipe out a domains profit. And now arguments are being made to increase the number of states involved with domain registration as well as involve third parties with that process.

Perhaps I have not been clear enough:

I WANT TO PROTECT THE GOOD FOLKS OF WHICH MOST REGISTRANTS ARE GOOD HARDWORKING FOLKS!

Having good folks pay, yet again, for the behavior of bad folks is not acceptable to me.

>several out-of-band communications mechanisms which could be used
>to detect and thwart such compromise.

I make no claim that my idea it right or best.

I only claim that I’ve thought about it for a very long, and as a registrar, and as a registrant who as actually managed thousands of domains before becoming a registrar.

In fact, and this is key, I became a registrar just because I WAS fed up with all the registrar games I was going thought. It has been my observation that some of the most knowledgeable people on these issues because they are the most experianced, are in turn DEMONIZED and disenfranchised. Those people are DOMAINERS.

I R 1

And like me I see more and more of them just leaving you all to self created chaos as they to obtain their own registrar credentials. They are moving up the food chain because they are never invited to share their knowledge and experience.

I wish we could all use privacy whois. But from where I stand, and what I see going on, that we make the problem worse. Furthermore, when we have the same non-technical person clicking on things they should not, mo amount of whois hardening is every going to help. Amount other things, I feel fortunate to have the mother I have because, at over 80 and still kicking hard, she is flat out CLUELESS about technology and I always use her as my “metric” of the average internet user. I’m fortunate to have her to keep me well grounded on these (and other!) issues ....

She’s always clicking on things she should not click on. QED FWIW

If any of you save save HER from the internet, I’ll bow and kiss your toes. Really I will!

Cross-purposes? The Famous Brett Watson  –  Apr 1, 2012 5:28 PM

Then someone will make a business out of using their "personal" certificate to register domains and than sell a copy of that cert with the domain name.
I'm afraid I don't follow this at all. You're suggesting that people would sell their identities to allow other people to engage in fraud using them? That sounds like a fairly self-limiting business model. I suspect we are at cross-purposes here.

I'm saying that will happen, in some Charles Christopher  –  Apr 1, 2012 6:12 PM

I'm saying that will happen, in some way, it will happen. It goes back to all certs not being equal. Are you going to impose a limit on the allowed CA's? What is the cost of getting my CA approved? If not, anybody and their dog can download software and roll their own self signed certs and sell them to anybody. Then are not signed against a domain and thus can be used for any domain. If you limit the CA's you now have the problem of people buying a CA and then get mad at the registrar form not accepting it. They have no clue what this is really about. I think this is one of the biggest issues I keep having to remind myself of as well, it's a BIG planet. There are LOTS of places and people that do not care about their "reputation" in the US or most anywhere else for that matter.

Thick and Thin Garth Bruen  –  Apr 6, 2012 8:54 PM

Before moving on from this topic, here is a final note. When the word “Thick” was used in the article it referred to the RECORD and not the REGISTRY. The usage is completely correct and appropriate, in a specific sense and a general sense. A thin record is one which has few details; a thick record has more or all. One only needs refer to ICANN’s document: Brief Guide to the Domain Name System and WHOIS

.com and .net are “Thin” WHOIS registries meaning that within these registries, there is not a single source for complete WHOIS information for each of the domain names having the .com and .net TLD.  Rather the complete (“Thick”) WHOIS data is available only from the registrar from whom the domain name was purchased. There are hundreds of registrars that register .com and .net TLD domain names, so Thick WHOIS data is distributed among hundreds of WHOIS databases for these domain names.

Reflect on the gnashing of teeth over the use of a word and remember that Internet users who might review these records do not live in the dense world that we do. For that they should simple and clear.

Their is a critical difference between the Charles Christopher  –  Apr 6, 2012 9:22 PM

Their is a critical difference between the two "thick registry" examples you give. Using your model: When the "thick whois" is served from the regiSTRY, then the data can be considered "authoritative". Then the "thick whois" is served from the registRAR, then the data can NOT be considered "authoritative". For a thread that uses the word "fake" twice in it's title, the "authority" of the whois elements cannot be dismissed. That is why so many of us drew attention to the difference. Using the idea expressed by the word "thick" too freely obfuscates this critical distinction, and why so many registrars want COM/NET whois moved ENTIRELY to the regisTRY. Using the idea expressed by the word "thick" too freely also suggestes there is no good basis for the initiative refered to by Michele: "I think there's already an ongoing issues report and possible PDP on the subject as a result of the IRTP-B final report. " There IS a difference. This is not just word play .....

Um, you just skipped over the part Garth Bruen  –  Apr 6, 2012 10:12 PM

Um, you just skipped over the part where I said record not registry…

Where in the registrar’s WHOIS record for the domain in question does it state “this is not an authoritative record”? And when this record is unreliable because it has a fake registrar listed, you can’t really go to the registry because they don’t have the full information.

Did not skip over anything. :) I Charles Christopher  –  Apr 6, 2012 11:28 PM

Did not skip over anything. :) I followed your desired to simplify this for the average person. >Where in the registrar's WHOIS record for the domain in >question does it state "this is not an authoritative record"? See, from here we can argue this either way. In my case, keeping this simple, I'd argue this is reason to implement "a thick registry model" for COM/NET. That way it does not have to say it's not authoritative, because it WILL then be authoritative. And if it's a "thick registry" whois record then the regisTRY will control the "registRAR" field not the registRAR controling the "registRAR" field in the returned text. This is why a thick registry is authoritative, and a thin whois is not, thus precisely "fixing" your concern. Let me try to approach this from a completely different point of view. No ICANN registrar in the world manifests .COM or .NET domain names, not a one. This is what the registry does, and registrars are simply "resellers" of this service that the registry offers. That is registries are able to insert DNS records in the root server chain, registrars are NOT able to do this, we do this by purchasing such records on behalf of third parties. So when a person wants a domain name they can't go to the registry, they must go to a registrar. The registrar then accepts payment for the domain name, and then passes on the registration request to the registry. The registry then inserts a DNS record into the root server chain which manefests the domain name - Now that record might just point to yet another DNS server, but the key here is the control of the root hierarchy which only regisTRIES have. Now whois is the "reverse path" of that reseller relationship. When someone looks up the whois for that domain name the registrar may have a COPY of what it THINKS is the current domain name state, but it's just a copy. In other words the "state" of the domain name now flows through from the regisTRY database to the public "whois" response. The only database description of that domain name that means anything is the one in the regisTRY. So, the registrar then MUST provide accurate domain status fields (such as registration dates) from the registry and then merges in their own internal contact detials of the domain name at that moment. And that is the precise point at which we have a point of confusion. The registry is "authoritative" for the domain status, but not the contact detials. One may fairly argue the regisTRAR is "authoritative" for the contact detials, but NOTHING ELSE. And this is where your OP problem comes in, the registrar does not necessary pass the "authortative domain state" as expressed by the regisTRY at the first query in the chain (Internic), the registrar can only do this since they are NOT truely authoritative. True, one can produce a policy that this data "SHALL" be passed unchanged but this is precisely where I personally disagree with that solution. Instead solve this "by design" which is the "thick registry" by requiring the registrar to "deposit" the contact detials with the regisTRY and then have the registry return the whois. At that point you have a full audit chain over all time, and it's centralized at the regisTRY and it thus authoritative. Yes, you can implement "policies" that will result in the whois data being the same for a "thick registry" and a "thin registry" ..... But only to the extent that registrars follow that policy, and databases remain synchronized. If it's a "by design" implementation, then it's IMPOSSIBLE not to follow. That is why I'd personally prefer to see a thick registry solution. Thus should be clear that a "thick registry" should not be confused with the idea you mention of "thin whois" or "thick whois". However a thick registry produces your "thick whois", de-facto. And this is why consideration of the idea of "authority" is so important == One entity, one point, one place to say how the whois will or will not look like, and do so precisely at the database that manages the root hierarchy record. whois for that domain name the registrar may have a COPY of what it THINKS is the current domain name state, but it's just a copy. In other words the "state" of the domain name now flows through from the regisTRY database to the public "whois" response. The only database description of that domain name that means anything is the one in the regisTRY. So, the registrar then MUST provide accurate domain status fields (such as registration dates) from the registry and then merges in their own internal contact detials of the domain name at that moment. And that is the precise point at which we have a point of confusion. The registry is "authoritative" for the domain status, but not the contact detials. One may fairly argue the regisTRAR is "authoritative" for the contact detials, but NOTHING ELSE. And this is where your OP problem comes in, the registrar does not necessary pass the "authortative domain state" as expressed by the regisTRY at the first query in the chain (Internic), the registrar can only do this since they are NOT truely authoritative. True, one can produce a policy that this data "SHALL" be passed unchanged but this is precisely where I personally disagree with that solution. Instead solve this "by design" which is the "thick registry" by requiring the registrar to "deposit" the contact detials with the regisTRY and then have the registry return the whois. At that point you have a full audit chain over all time, and it's centralized at the regisTRY and it thus authoritative. Yes, you can implement "policies" that will result in the whois data being the same for a "thick registry" and a "thin registry" ..... But only to the extent that registrars follow that policy, and databases remain synchronized. If it's a "by design" implementation, then it's IMPOSSIBLE not to follow. That is why I'd personally prefer to see a thick registry solution. Thus should be clear that a "thick registry" should not be confused with the idea you mention of "thin whois" or "thick whois". However a thick registry produces your "thick whois", de-facto. And this is why consideration of the idea of "authority" is so important == One entity, one point, one place to say how the whois will or will not look like, and do so precisely at the database that manages the root hierarchy record. By

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC