WHOIS-Based Domain Control Validation  (DCV) Method Deprecation

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...
End of life for WHOIS-based DCV methods

DigiCert and Sectigo, the industry-leading certificate authorities (CAs), announced the Discontinuation of WHOIS-based Domain Control Validation (DCV). The CA/Browser Forum (CABF) is expected to approve a rule that bans using WHOIS-listed email addresses for domain validation and prevents the reuse of past validations based on them.

In past years, WHOSIS data has been used as the primary source of domain ownership verification by certificate authorities (CAs) during the certificate issuance process.

However, much security research has shown that WHOIS-based DCV is not secure enough and has many security flaws. For better security and more robust validation methods, the industry is shifting toward improved alternatives.

What Is Domain Control Validation (DCV)?

Before going to deprecation timelines, let’s understand what Domain Control Validation (DCV) is and why it matters. It is a process by which a certificate authority (CA) verifies that the applicant requesting an SSL/TLS certificate owns that domain.

These three methods are used to show the control of the domain:

Email Validation:

The CA sends a confirmation email to an approved email address linked to the domain. It fetches contact email address data from the publicly available WHOIS system. This method has many security problems.

DNS TXT Records:

A special code is added to the domain’s DNS settings to prove ownership.

HTTP File Upload:

A file with a unique code is placed on the website to confirm control of the domain.

    Why Is WHOIS‐Email DCV Being Deprecated?

    The WHOIS-based Domain Control Validation (DCV) has many security issues that show that it is not a secure way to prove the control of the domain ownership. The validation of this method is based on the public domain name WHOIS system.

    A Recent vulnerability in the domain name WHOIS system has been shown by a security researcher, where they got access to the “.MOBI TLD” WHOIS server.

    The  “.MOBI TLD” WHOIS server “whois.dotmobiregistry.net” was migrated to the new “whois.nic.mobi” server. The old domain “whois.dotmobiregistry.net” was unclaimed, which was further purchased by the security researcher.

    As a result, this gives a super power to him, now he can purchase an SSL certificate on behalf of any organization.

    Many certificate authorities (CAs) use the public WHOIS servers data in the Email Validation process, here in this case they are still using the old one “whois.dotmobiregistry.net” which is now under control of that security researcher.

    He also demonstrates that he can purchase an SSL certificate on behalf of other organisations. Because many CAs are still using  “whois.dotmobiregistry.net” for Email Validation, and he has full control of it, and he can send tampered data (add his email in WHOIS response to the CAs servers) and can pass the validation process.

    The Phased Timeline: DigiCert and Sectigo

    With the phase-out of WHOIS-based DCV methods, Sectigo and DigiCert have introduced alternative approaches for secure domain validation.

    DigiCert’s Timeline

    The following changes apply to all DigiCert domain validations, covering certificate types such as TLS, Verified Mark, Common Mark, Secure Email (S/MIME), DirectAssured, and DirectTrust.

    Phase One: January 8, 2025:

    On January 8, 2025, DigiCert stopped using HTTPS web-based WHOIS lookups for domain control validation. This means DigiCert can no longer rely on these lookups to gather domain contact information when the WHOIS protocol fails to return results, which could make WHOIS-based DCV methods less reliable.

    Additionally, from this date, DigiCert will no longer reuse domain validations where an HTTPS web-based lookup was previously used to obtain domain contact details, even if the information was within the 397-day reuse period.

    Phase Two: May 8, 2025

    On May 8, 2025, DigiCert will discontinue support for the WHOIS-based DCV method and will no longer query WHOIS for domain validations.

    If you’re using the WHOIS-based Email DCV method, you’ll need to switch to an alternative DCV method. Alternatively, you can continue using the email method by setting up a DNS TXT Email Contact or a Constructed Email address. For more details, refer to DigiCert-supported DCV methods and domain validation processes below.

    Phase Three: July 8, 2025

    On July 8, 2025, DigiCert will stop reusing any existing WHOIS-based domain validations, regardless of whether the information falls within the 397-day reuse period or the WHOIS method used.

    If you previously used the WHOIS-based Email DCV method to validate your domains, these validations will no longer be valid after July 8. When requesting a certificate for these domains, you’ll need to revalidate them using an alternative DCV method.

    Alternatively, you can continue using the email method by setting up a DNS TXT Email Contact or a Constructed Email address.

    Sectigo’s Timeline

    The other major CA Sectigo, has also laid out a phased deprecation schedule, with a slightly different timeline. The certificate issued before key dates remains valid until expiration.

    Phase One: January 15, 2025

    WHOIS-based email validation will no longer be supported for domains with the “.NL” top-level domain.

    Phase Two: June 14, 2025

    This is the final deadline for using WHOIS-based email validation. After this date, domain names cannot be validated or revalidated through WHOIS email addresses.

    Phase Three: June 15, 2025

    Starting from this date, certificates cannot be issued or reissued using WHOIS-based validation. Alternative validation methods must be used instead.

    What Does This Mean for Your Organization?

    If you are responsible for managing SSL/TLS certificates or any digital certificates that rely on DCV, these changes will have a direct impact on your operations. Follow these steps to ensure a smooth transition:

    Audit Your Certificates

    Identify certificates validated using WHOIS-based methods. Mark validation expiry dates and check if they fall within the allowed reuse period.

    Choose an Alternative DCV Method

    Opt for DNS TXT record validation for its simplicity and stronger security. Alternatively, you can use other methods like ‘constructed’ email or HTTP validation.

    Revalidate Your Domains

    Ensure all domain validations are updated with one of the supported methods before the deadline.

    Update Automation Processes

    Revise your automated workflows to accommodate the new DCV methods.

    Stay Informed

    Make sure you receive updates from your CA about any changes in validation procedures.

    Conclusion

    The phase-out of WHOIS-based DCV methods marks an important shift in SSL/TLS validation, enhancing security and trust. Organizations should promptly transition to supported methods like DNS TXT records, constructed email addresses, or HTTP validation.

    Email Security

    Buy S/MIME Certificates

    Digitally Sign Emails and Encrypt Emails using S/MIME or Email Signing Certificates and Prevent Phishing and Man-in-the-middle Attacks

    Starts at Just $9.49/Yr
    Janki Mehta

    Janki Mehta

    Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.