A report was recently released which examined the accuracy of the information within the WHOIS system. WHOIS services are intended to provide free public access to information about the registrants of Internet domain names. This report was commissioned by ICANN, the body that oversees the allocation & registration of Internet domain names.
Probably the most concerning finding from the report is the fact that only 23% of the records in WHOIS were fully accurate. A further 24% had some information missing, but the researchers were able to locate the person registered as the owner of the domain & confirm this. That left 53% of records where the owner could not be located to confirm ownership of a domain name. This failure was due to incorrect, inaccurate, false or simply missing data on the WHOIS records.
What does this mean to you & me? It means if a bad guy wants to set up a dodgy website he can do so, and without too much difficulty cover his tracks by providing a name like "Donald Duck" and an address like "Disneyland" for the contact details, so that it's not easy to trace things back to him.
So how did we end up with a system so riddled with bad data? It seems many of the Internet domain name registrars have been very lax when issuing new Internet domain names. There are no mandated standards for registrars to check whether the information provided is accurate, and many registrars have not bothered to check & enforce the completeness & accuracy of the information provided by people applying for domain names.
The obvious solution here is to force the domain name registrars to thoroughly verify an applicant's details before they are given a domain name. But the problem is that these checks would require additional resources & time before issuing a domain name, which would cost more money. This means that they would have to increase their charges to the applicants.
So it comes down to the usual conflict. Do we want security and responsible actions on the Internet by making domain name owners traceable & verifiable, or do we want cheap costs when it comes to registering a domain name?
In many countries, in order to possess a gun you must first apply for a gun license, verify your identity and explain what you intend to use the gun for. I think it should be the same with domain name registration. Yes, I know – guns don't kill people, people kill people. But if guns can be used to perpetrate crimes, then the use of guns should have some level of control. When it comes to websites and the level of criminal activity that may be perpetrated through the use of a website, I think we should at least have some sort of verification of the identity of the person behind that site.
The ease with which a bad guy can currently set up malicious websites anonymously is yet another example why the Internet is currently such a Gangster's Paradise. It's not going to be easy, but things need to change.
Senior Cybercrime Research Analyst
Author ESET Research, We Live Security