Obviously there are a lot of errors by a lot of people that led to this, but here's one that would've prevented this specific exploit:
> As part of our research, we discovered that a few years ago the WHOIS server for the .MOBI TLD migrated from whois.dotmobiregistry.net to whois.nic.mobi – and the dotmobiregistry.net domain had been left to expire seemingly in December 2023.
Never ever ever ever let a domain expire. If you're a business and you're looking to pick up a new domain because it's only $10/year, consider that you're going to be paying $10/year forever, because once you associate that domain with your business, you can never get rid of that association.
This is the most obvious reason why Verisign is a monopolist and should be regulated like a utility. They make false claims about choice and not being locked in. You buy a domain, you use it, you're locked in forever. And they know it. That's why they fight tooth and nail to protect their monopoly.
It’s worse if you stop using the phrase ‘buy’ and instead use the term ‘rent’. A DNS provider could 10,000x your domain cost and there’s nothing you can do about it.
See also personal phone numbers, which are now "portable" and thus "required for every single identity verification you will ever perform", without being regulated, which means your identity is one $30 bill autopayment or one dodgy MVNO customer service interaction from being lost forever.
There is an alternative to such regulation though. In the Netherlands, all registrars are required to support automatic transfer between registrars. You can lookup your "transfer code", which you can enter at a new registrar, and they will handle that your domain is transferred (with proper DNS etc) and your old subscription stops.
Not true. If you are hosting user content, you want their content on a completely separate domain, not a subdomain. This is why github uses githubusercontent.com.
I actually think they need 2, usually need a second domain / setup for failover. Especially if the primary domain is a novelty TLD like.. .IO which showed that things can happen at random to the TLD. If the website down it's fine, but if you have systems calling back to subdomains on that domain, you're out of luck. A good failover will help mitigate / minimize these issues. I'd also keep it on a separate registrar.
Domains are really cheap, I try to just pay for 5-10 year blocks (as many as I can), when I can just to reduce the issues.
I felt the need to get in addition to (shall we say) foo-bar.nl the foobar.nl the foo-bar.com and foobar.com because I dont want a competitor picking up those and customers might type it like that.
Don't forget about infrastructure domains, static-asset domains, separation of product domains from corporate domains ... there are plenty of good reasons to use multiple domains, especially if you're doing anything with the web where domain hierarchies and the same-origin policy are so critical to the overall security model.
I like the point you are making in this post. It makes me think about the Backblaze blog posts where they discuss the likelihood of enough drive failures to lose user data. Then, they decided the calculation result hardly matters, because people are more likely to forget to pay due to an expired credit card or email spam filtering (missed renewal reminders!).
How do mega corps remember to pay their domain bills? Do they pay an (overpriced) registrar for "infinity" years of renewals? This seems like a genuinely hard business operations problem.
Mega corps have their own top-level domains. For example there're .apple, .google, .amazon, .youtube and probably some more I had forgotten.
Even when companies don't have their own top-level domain, they can have their own domain registrar. For example "facebook.com" is registered with "registrarsafe.com" as registrar. The latter registrar is a wholly owned subsidiary of Facebook. I learned this from this HN thread https://news.ycombinator.com/item?id=28751497
The megacorp that I work at requires us to surrender domain names payment that we own to a central authority who takes care of this in perpetuity. Any domain names we buy we also have to tell them about it. Your triple boss gets a good Stern talking to if you're not following these procedures.
> If you're a business and you're looking to pick up a new domain because it's only $10/year, consider that you're going to be paying $10/year forever, because once you associate that domain with your business, you can never get rid of that association.
Please elaborate...
Also, what about personal domains? Does it apply there as well?
As per the article, the old domain expired and was picked up by a third party for $20. Said domain was hard-coded into a vast number of networking tools never to be updated again, effectively letting the new domain owner unfettered access into WHOIS internals.
My brother used to own <our uncommon family name>.com and wrote on it a bunch. Eventually he bailed out and let it expire. It turned into a porn site for a few years and now its for sale for like $2k from some predatory reseller.
People bookmark stuff. Random systems (including ones you don’t own) have hardcoded urls. Best to pay for it forever since it’s so low of a cost and someone taking over your past domain could lead to users getting duped.
A friend of mine recently let the domain used for documentation of Pykka, a Python actor library, expire. Some of course registered the domain, resurected the content and injected ads/spam/SEO junk.
Since the documentation is Apache License 2.0 there isn't much one can do, other than complain to the hosting about misuse of the project name/branding. But so far we haven't heard back from the hosting provider's abuse contact point (https://github.com/jodal/pykka/issues/216 if anyone is interested).
I have the feeling that any day now I’m gonna wake up in the morning and I’ll find out that there just isn’t internet anymore because somebody did something from a hotel room in the middle of nowhere with a raspberry pi connected to a wifi hotspot of a nearby coffee shop.
Reminds me of the dorms in college where the internet would get messed up because someone would plug in a random router from home that would hand out junk dhcp ip addresses. It's like that but for the whole world.
A significant amount of stuff is indeed held up by hopes and prayers [0], but by design, the internet was built to be robust [1]. In this case the scope was limited to .mobi.
could've already solved the issue. But getting everyone to agree and adopt something like that is hard.
Although as fanf2 points out below, it seems you could also just start with the IANA whois server. Querying https://www.iana.org/whois for `mobi` will return `whois: whois.nic.mobi` as part of the answer.
because people build these tools as part of one time need, publish it for others (or in case they need to reference it themselves). Other "engineers" copy and paste without hesitating. Then it gets into production and becomes a CVE like discussed.
Developer incompetence is one thing, but AI-hallucination will make this even worse.
I’ve seen so many teams that fail to realize that once you use a domain in any significant way, you’re basically bound to renewing it until the heat death of the universe – or at least the heat death of your team.
Whether it’s this sort of thing, a stale-but-important URL hanging out somewhere, someone on your team signing up for a service with an old domain-email, or whatever, it’s just so hard to know when it’s truly okay let an old domain go.
The root cause for the PHP vulnerability is trying to parse unstructured text. The actual information in WHOIS has structure: emails, addresses, dates, etc. This info should be provided in a structured format, which is what RDAP defines.
IMHO, there is no reason for a registrar to not support RDAP, and to have the RDAP server's address registered with ICANN.
>The dotmobiregistry.net domain, and whois.dotmobiregisry.net hostname, has been pointed to sinkhole systems provided by ShadowServer that now proxy the legitimate WHOIS response for .mobi domains.
If those domains were meant to be deprecated should be better to return a 404. Keeping them active and working like normal reduces the insensitive to switch to the legitimate domain.
Whois doesn't support HTTP status codes, but the shadowserver sinkhole responds with:
Domain not found.
>>> Please update your code or tell your system administrator to use whois.nic.mobi, the authoritative WHOIS server for this domain. <<<
I think the whole computer approach is doomed to failure. It relies on perfect security that is supposed to be achieved by SBOM checking and frequent updates.
That is never going to work. Even log4j, 40% of all downloads are vulnerable versions. Much less when a vendor in a chain goes out of business or stops maintaining a component.
Everything is always going to be buggy and full of holes, just like our body is always full of battlefields with microbes.
nah, slowly but surely we can write good and reliable code, use that for things to make better tools, and then use those to ... :)
It will be probably a few decades, but the road seems pretty clear. Put in the work, apply the knowledge gained from all the "lessons learned" and don't stop.
Readit News
> As part of our research, we discovered that a few years ago the WHOIS server for the .MOBI TLD migrated from whois.dotmobiregistry.net to whois.nic.mobi – and the dotmobiregistry.net domain had been left to expire seemingly in December 2023.
Never ever ever ever let a domain expire. If you're a business and you're looking to pick up a new domain because it's only $10/year, consider that you're going to be paying $10/year forever, because once you associate that domain with your business, you can never get rid of that association.
https://money.cnn.com/2016/01/29/technology/google-domain-pu...
https://github.blog/engineering/githubs-csp-journey/
Domains are really cheap, I try to just pay for 5-10 year blocks (as many as I can), when I can just to reduce the issues.
Businesses only ever need two $10 domains, usercompany.com and company.com, just in case they ever want to host user generated content.
Deleted Comment
How do mega corps remember to pay their domain bills? Do they pay an (overpriced) registrar for "infinity" years of renewals? This seems like a genuinely hard business operations problem.
Even when companies don't have their own top-level domain, they can have their own domain registrar. For example "facebook.com" is registered with "registrarsafe.com" as registrar. The latter registrar is a wholly owned subsidiary of Facebook. I learned this from this HN thread https://news.ycombinator.com/item?id=28751497
Found this out when some of our emails started bouncing...
Deleted Comment
Please elaborate...
Also, what about personal domains? Does it apply there as well?
Personal domains are up to you.
Since the documentation is Apache License 2.0 there isn't much one can do, other than complain to the hosting about misuse of the project name/branding. But so far we haven't heard back from the hosting provider's abuse contact point (https://github.com/jodal/pykka/issues/216 if anyone is interested).
[0] https://xkcd.com/2347/
[1] https://en.wikipedia.org/wiki/ARPANET#Debate_about_design_go...
[1] https://news.ycombinator.com/item?id=41482087
Dead Comment
Seems there is a standard (?) way of registering this in DNS, but just from a quick test, a lot of TLDs are missing a record. Working example:
Edit:There's an expired Internet Draft for this: https://datatracker.ietf.org/doc/html/draft-sanz-whois-srv-0...
Although as fanf2 points out below, it seems you could also just start with the IANA whois server. Querying https://www.iana.org/whois for `mobi` will return `whois: whois.nic.mobi` as part of the answer.
Developer incompetence is one thing, but AI-hallucination will make this even worse.
Whether it’s this sort of thing, a stale-but-important URL hanging out somewhere, someone on your team signing up for a service with an old domain-email, or whatever, it’s just so hard to know when it’s truly okay let an old domain go.
Dead Comment
Unfortunately, it isn't required for ccTlds, and there are plenty of non-ccTlds that aren't working.
https://en.wikipedia.org/wiki/Registration_Data_Access_Proto...
https://resolve.rs/domains/rdap-missing.html
IMHO, there is no reason for a registrar to not support RDAP, and to have the RDAP server's address registered with ICANN.
>The dotmobiregistry.net domain, and whois.dotmobiregisry.net hostname, has been pointed to sinkhole systems provided by ShadowServer that now proxy the legitimate WHOIS response for .mobi domains.
If those domains were meant to be deprecated should be better to return a 404. Keeping them active and working like normal reduces the insensitive to switch to the legitimate domain.
That is never going to work. Even log4j, 40% of all downloads are vulnerable versions. Much less when a vendor in a chain goes out of business or stops maintaining a component.
Everything is always going to be buggy and full of holes, just like our body is always full of battlefields with microbes.
It will be probably a few decades, but the road seems pretty clear. Put in the work, apply the knowledge gained from all the "lessons learned" and don't stop.