In the first half of 2025, updates to WHOIS-based domain validation will take effect as part of an industry-wide initiative to enhance security and reliability.
In August 2024, researchers at WatchTowr Labs discovered a vulnerability relating to use of legacy WHOIS systems for domain control validation (DCV). As a result, industry leaders were concerned that this would lead to fraudulent email-based validations for SSL/TLS certificates. Although the scope of the specific vulnerability was limited, it brought up questions about the industry’s reliance on certain legacy resources for validation.
On 14 Dec 2024, the CA/Browser Forum (CA/B Forum) adopted a phased sunset for WHOIS-based methods of domain ownership validation after several months of discussion.
What Does This Mean For Your Organisation?
This issue only impacts organisations who used WHOIS contact data to get their SSL/TLS certificates issued.
If You Don’t Use WHOIS Data for Domain Control Validation
If a method other than WHOIS web-based lookups was used to validate your domain— for example, DNS TXT records, file validation, or constructed email (e.g., administrator@domain.com) verification — then this has no impact on you or your certificates. You’re right as rain and you don’t have to worry about any of these changes.
If You Did Use WHOIS Data for Your Domain Control Validation Process
If you used WHOIS-listed email address to validate your domain when getting a website security certificate, you’ll need to change validation methods when requesting a new SSL/TLS certificate. This is true even for customers who are within the allowed prior authorization reuse period.
The easiest method for most customers will be to use one of the “constructed” or pre-approved validation email addresses:
- admin@yourdomain.com
- administrator@yourdomain.com
- webmaster@yourdomain.com
- hostmaster@yourdomain.com
- postmaster@yourdomain.com
Alternative methods of domain control validation include file and DNS-based validation methods:
- DNS TXT records
- DNS CNAME (canonical name) records that link an alias to one or more other domains
- HTTP file authentication
Major CAs Are Implementing These Changes Ahead of the Deadlines
DigiCert and Sectigo announced that customers using WHOIS-based DCV methods should migrate to alternative methods ASAP. Here’s an overview of the company’s phased rollout deadlines:
| Sectigo | DigiCert | |
| Phase One | Jan. 15, 2025 — Sectigo’s first phase of the rollout will involve prohibiting the use of WHOIS-based email validation for .nl top-level domains. | Jan. 8, 2025 — DigiCert will stop supporting manual and HTTPS web-based WHOIS lookups for domain validations and prior use authorizations based on these methods. |
| Phase Two | June 15, 2025 — Sectigo will no longer support WHOIS-based email DCV and will invalidate any pre-existing DCV records. This means no certificates can be issued or re-issued using these unsupported WHOIS-based DCV methods. | May 8, 2025 — DigiCert will no longer accept automated WHOIS-based domain validations/IANA referrals for new domain validations. It will, however, still accept WHOIS protocol-based DCVs. |
| Phase Three | July 2025 — DigiCert will no longer allow the reuse of existing WHOIS-based domain validations of any kind, regardless of the time left in a reuse period. |
If you need more information about how these changes will affect you, you can reach out to us and we will be glad to help you.
Thank you for your attention.
If you have any queries, please contact us at support@clickhere2.com or visit our Customer Support Centre at https://support.clickhere2.com.sg.
|
Rate this Topic:
|
|||
|
