‘This raises the bar and makes it expensive for easy cyber criminality,’ argues DomainTools
Forthcoming European Union regulations that would curtail anonymous domain registration has been welcomed by a security firm despite concerns from some including Germany’s top-level domain registry, DENIC.
Wide-ranging proposals to achieve a “high common level of cybersecurity across the Union” and update the 2016 network and information systems (NIS Directive), would restrict the anonymous registration of domains, among other measures.
Anonymous domain registration is often associated with illegal activities including the distribution of malware and the hosting of phishing sites as well as the authorized distribution of copyright protected works.
People or organizations registering domains are already routinely obliged to supply their name, email address, and physical address. As things stand, this information is seldom checked so that registration under false or assumed names is commonplace.
The rule change would introduce provisions that would oblige domain registrars to collect more information from registrants and (crucially) verify that information.
For the purpose of contributing to the security, stability, and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal data.
While broadly welcoming Article 23, which covers databases of domain names and registration data, Germany’s TLD registry DENIC expresses significant reservations about the proposals in its feedback to the EU Commission. It worries that collecting registration data wouldn’t necessarily help in preventing abuse.
“While accurate and complete registration data is already collected in the context and for the purpose mentioned in the previous paragraph, it is not obvious to us, how failure to do so would affect the security, stability, or resilience of the DNS as such,” DENIC said.
The German registry added: “Identification of the registrant does not provide information about the entity exercising actual technical control over the delegated namespace and even less so about entities providing content or services within that namespace.”
However, Chad Anderson, senior security researcher for DomainTools, a domain-name and DNS-based cyber threat intelligence firm, said access to registration information would offer a vital tool for network security defenders.
“We’ve certainly found other ways of fingerprinting actors based on tactics, techniques, and procedures (TTPs), but taking down large swaths of domains tied to a single individual is much quicker when they can actually be tied to that individual and time is increasingly of the essence,” according to Anderson.
Anderson compares the registration of domains (a form of digital property) to the operation of a property registration systems for houses.
The plans could mean the end of ‘whois privacy’ services for proxy registration of domains, threatening the safety of activists and whistleblowers, according to German MEP Patrick Breyer of the Pirate Party.
“This indiscriminate identification policy for domain holders is a big step towards abolishing anonymous publications and leaks on the internet,” Breyer warned in a blog post.
“This policy endangers website operators, because only anonymity effectively protects against data theft and loss, stalking and identity theft, doxxing and ‘death lists’.”
Concerns that the registration of domain would impacts whistleblowers and activists are misplaced, according to DomainTools’ Anderson.
“They should all be using Tor and pre-built sites anyways to protect their anonymity,” according to Anderson, who added, “if anything this will force their hand to use better operational security”.
More difficult, more expensive
Even though once the regulations come into effect cybercriminals can still hide behind corporations or registrars in other countries, the result will still be to make malicious activity more difficult and expensive, DomainTools argues.
Anderson concludes: “This raises the bar and makes it expensive for easy cyber criminality like business email compromise (BEC) and credential phishing campaigns. Additionally, this reduces the attacking area left to monitor as it reduces the number of registrars that attackers can use.”
The draft directive was amended (PDF) in March and may be further changed before ratification. The amendments clearly specify that telephone contact information needs to amongst the information collected.
Member States shall ensure that the database infrastructure of domain name registration data… contains relevant information, which shall include at least the registrants’ name, their physical and email address, as well as their telephone number, to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs.
The amended measures also clarify that the registrars will be obliged to provide “domain name registration data, including personal data, upon duly justified requests of legitimate access seekers, in compliance with Union data protection law” within 72 hours of receiving a request.
A complete catalogue of feedback to the proposals can be found here.
The lead committee ITRE is expected to take a position on the proposals by the end of October. Even after that stage the bill still needs to be negotiated with the EU Council, and may be subject to further amendments before it comes into effect.
YOU MAY ALSO LIKE NSA warns of heightened wildcard TLS certificate risk