
What Is Going to Happen With Whois? - danso
https://motherboard.vice.com/amp/en_us/article/vbpgga/whois-gdpr-europe-icann-registrar
======
jchw
How does this threaten the security or privacy of the Internet _at all_? Whois
data isn't accurate even by horrible standards. They've tried to make it more
stringent but I have domains of mine with the wrong address that I'm too lazy
to update and it's been wrong for years now. No problem for my Whois records.
And to get around whois records, if we as owners of domains want privacy, we
have to deal with shady companies that effectively take control of our
domain's ownership. Great for selling whois privacy products, but not at all
good for internet security.

SSL certificates already aren't good enough to prove the legitimacy of an
organization, not even EV ones. Why Whois data would be any use is beyond me.

~~~
quickthrower2
I think it is weird to have a physical address for a domain. At least that
should be optional.

Definitely is a pro-company and anti-individual concept. If you are a company
no problem using your address. As an individual it is not private, do you want
people who hate your site knocking at your door and your kid answers?

Then namecheap as whois guard and all that. Extra rent you have to pay to keep
your privacy!

~~~
jchw
You can always use a PO Box, as I've done in the past. Extra rent, but useful.

~~~
harlanji
Lao Tzu says that in preparing a defense you welcome an enemy. If we create
from our thought and intent, why would we take steps? This thinking instantly
puts most people into fear mode, but when you live it and nothing happens fear
totally loses any gravity, these discussions are tiresome. People ramdomly go
crazy and target people on the internet probably less often than home
invasions on houses with unlocked doors. But again quantitative analysis
brings us back into the fearful analysis mode and out of abundant loving mode.
Hard idea to explain, and my analytical brain comprehends the woowoo, but
woowoo is critically important in that thought.

~~~
newscracker
It's not only about some trolls targeting the content creators. It's also
about government, government officials and large (ethically challenged)
corporations and "organized crime" that one needs to be on guard against. Even
if you host with a provider in another jurisdiction who will resist revealing
your information, the WHOIS data is a sitting duck. I don't think this piece
of advice from Lao Tzu applies to our post-Snowden world. Definitely not for
people who are against the powers that be (and on whom healthy democracies
depend on).

------
f2n
Thank god. I get somewhere between 2 and 10 spam emails to my dedicated whois
address _every day_. Requiring the publication of email addresses with every
domain is absurd and serves no purpose.

~~~
petercooper
I don't get so much spam mail as I do phone calls - quite often from real call
centers with real people asking about what sites they could create for me on
the domains.

I have been _very_ tempted to register an ultra offensive sounding domain name
just to get someone at a call center to ask me about it by name :-D

~~~
ams6110
I own a handful of domains and have my real contact info in all of them. Aside
from annual postal (!) mail from registrars offering to renew them at about
10x the normal price, I don't really get any spam from these that I've seen.

I never answer the phone if the caller ID is unknown, so I may be missing some
there also.

~~~
bowlich
Yeah, I was going to chime in. I've had an accurate whois for my domains since
the early 2000s and at most I get a couple pieces of junk mail around renewal
time. No idea if I get any spam from it, the spam filter seems to do a good
enough job of junking that.

The idea of hiding the contact information never quite made sense to me. If
you're a business, then you already have to provide an address of record to
the state for certified mail to go to.

If, as a private citizen, I am running a controversial website then there are
already institutes in place that will receive, process, and provide anonymity
for your physical mailing address.

------
mr_toad
Whois belongs in an era where email servers were completely open, telnet and
FTP were unencrypted, and people had .plan files for all the world to see. It
should have died off 20 years ago.

------
shiado
When investigating sketchy sites I have found that domains are pretty
disposable and that trying to contact the admin or registrar from the whois
data is pointless. They can just pivot to another domain at worst and they
probably faked the data they submitted to register it to begin with leaving
them unaccountable.

Services like Cloudflare on the other hand are fully complicit in making abuse
easy on the internet. If you want something abusive taken offline it is better
to go after whoever is hosting it instead of some pointer to where it is
hosted, which is difficult when they are behind Cloudflare. If you want a
laugh search Google for the terms "booter" or "http stress tester" and try to
gauge the legitimacy of the results.

------
ggm
RDAP is going to happen.

1) its UTF-8 clean 2) its JSON 3) its getting Oauth, so LEA requirements can
be met while keeping personal data private 4) it uses web protocol underneath
so 302 redirect works 5) its fully deployed in the RIR system for numbers, and
has a global directory at the root in IANA.

RDAP is going to happen to WHOIS. Its long overdue.

(bias: I work on RDAP)

------
ficklepickle
I've always appreciated that .ca domains are private by default.

Even without whois, you can dig the IP address and find out their ISP
(sometimes). I've had some success getting compromised servers shut down by
reporting them to the abuse email address in the dig record. If you email
amazon with the details of malicious AWS instance, they will notify the
customer and/or kill the instance pretty darn quickly.

Does anyone know of an open source program that finds malicious IP's in apache
/ nginx logs and reports them automatically? I've been thinking of making this
tool but it must exist already.

In my head, I call it the internet hygiene project. It's a slow and very
unsexy way of dealing with the botnet problem, but I think it could make a
positive difference. Admittedly, it'll only catch the low hanging fruit, but
there is so much of it, I think it is a good start.

Apologies for going off-topic.

------
dawhizkid
Yes, I accidentally exposed my personal info for a new .us domain. Spam emails
and phone calls immediately.

~~~
parfe
I had the same issue. Didn't realize .us required your info to be published.
My registrar upsold me their whois guard service, but it sat unredeemedable on
my account while spammers harvested my info.

------
exikyut
Serious question:

Some months ago I was curious about buying a domain name. So I poked around on
various reseller sites to find out the pricing. I couldn't buy it at the time.

Only a couple months later (I still couldn't buy the domain), I found the site
had been registered. The domain was an obscure but novel sequence of letters;
the likelihood that I and someone else came up with the sequence at the same
time is objectively possible, but slim.

So, I can only conclude that list reselling DEFINITELY DOES happen, and yes, I
am very mad. But there is of course nothing that can be done.

Now, when I want to find out what domains do and don't exist, I just use
WHOIS, because I don't trust any of the "domain lookup" sites.

What do I do now? :(

------
ryan-c
I applied for "port 43" access to GoDaddy's normal whois records (still
"domains by proxy" if private registration) this week. They require you to
sign a very short contract stating what you're using it for and stipulating
you can't bulk scrape it or use it for marketing.

Still waiting on approval, am somewhat interested to see whether they approve
my request.

As far as spam goes, I don't generally use private registration, but use
dedicated email addresses for my whois contacts, and I rotate them on a
regular basis.

The scraping seems to happen soon after a domain is registered, but there's a
much longer lag when changing the email address.

------
contingencies
Most recently I have found whois a good way to validate the age of domains of
certain competing companies. This is a very vague thing to look up but it sure
is useful, I am sure that it also adds a dimension to trust metrics in search
engine and antispam land. I don't want it to die.

------
Sniffnoy
Non-mobile link: [https://motherboard.vice.com/en_us/article/vbpgga/whois-
gdpr...](https://motherboard.vice.com/en_us/article/vbpgga/whois-gdpr-europe-
icann-registrar)

------
bane
On the other side of this, I remember a time when you could just download a
dump of the registration data and do whatever you wanted (good or bad). Now
it's like pulling an arm and a leg to get access to even fractions of the
data.

------
fredley
For .uk domains currently, you cannot mask whois details at all!

~~~
tradersam
Nor .io domains.

~~~
f2n
My .io (finn.io if you want to look it up) says:

    
    
      Owner Addr    : Obfuscated whois Gandi-63-65 boulevard Massena
      Owner Addr    : Obfuscated whois Gandi-Paris
      Owner Addr    : WA
      Owner Addr    : FR
    

and my full name. Seems obfuscated enough, especially since the name was not
remotely validated.

