Re: [swinog] GDPR / DSGVO and 'whois' domain data
On 2018-07-02 09:45, Benoit Panizzon wrote: [..] > Also, such domains usually quite quickly get a bad reputation as hiding > the whois data is something the 'bad guys' do. Also it becomes a bit > more difficult, to verify if a domain is legit or not to decide upon > well crafted phishing emails. Or to contact the owner in case of > security incidents. Bad guys just provide false data (and the privacy hiding things) Hence, whois is mostly useless, even though that false data might be able to correlate multiple domains (which is a feature that is lost now) As RIPE is clearly demonstrating though, throwaway addresses and emails are totally okay to have in RIPE whois Currently "good guys" will publish one of these: https:///.well-known/security.txt e.g.: https://www.google.com/.well-known/security.txt https://unfix.org/.well-known/security.txt etc. as per the _draft_: https://tools.ietf.org/html/draft-foudil-securitytxt-03 https://github.com/securitytxt/security-txt and (as usual)not everybody is happy with it: https://news.ycombinator.com/item?id=15416198 Many folks also publish it directly as /security.txt; I have a default location in nginx to cover them and put it everywhere (with try_files one can try to per-vhost edition and then fall back to a generic one). .oO(Yes, the Internet is HTTPS now, everything else is futile... new Internet users on the block do not know what whois is, let alone what it was useful for; problem reports are automated nowadays, few still actually read/act upon abuse@ or security@ addresses...) [..] > So I asked Gandi for how the GDPR exactly forces them to hide their > customer's whois data. I haven't got a reply to this yet. Nothing forces them to do so, they are just covering their behinds. By blocking it they do not have to deal too much with GDPR, thus it is the path of least difficulty (read: money). [..] > If I get the whois data for some well known domains like: > > microsoft.com > google.com > swiss.com > credit-suisse.com > > NONE has 'privacy protect' activated. None of those are private individuals. Greets, Jeroen ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] GDPR / DSGVO and 'whois' domain data
> If I get the whois data for some well known domains like: > > microsoft.com > google.com > swiss.com > credit-suisse.com > > NONE has 'privacy protect' activated. I only see the registrar's contact details for all domains. Seems to be standard for com Domain since last few weeks. https://www.golem.de/news/dsgvo-icann-verliert-gerichtsstreit-ueber-whois-daten-1806-134717.html It's not the same, but nice to know: https://nextcloud01.cloud42.ch/index.php/s/cAbYANCM4gAgBSz -- Web: https://markusritzmann.ch Twitter: @RitzmannMarkus signature.asc Description: OpenPGP digital signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] GDPR / DSGVO and 'whois' domain data
Dear Swinogers. I run a couple of .com and .ch domains, which are registered via Gandi.net About one week ago, Gandi activated 'privacy protect' on my .com domains, hiding all my contact data in the whois output, without me asking them to do so. They sent an email though, that they would do so because of the GDPR. I asked them how GDPR entitles them to do so, in my opinion the GDPR aims for more transparency and thus, this is contra productive. Also, such domains usually quite quickly get a bad reputation as hiding the whois data is something the 'bad guys' do. Also it becomes a bit more difficult, to verify if a domain is legit or not to decide upon well crafted phishing emails. Or to contact the owner in case of security incidents. I told Gandi about my concerns, but only got the reply that they were forced to hide whois contact information on all domains registered via their service because of GDPR. Having the contact data published now is optional and has to be activated manually by the domain owner. This surely is not the case, as my .ch domains registered with gandi still show my complete contact. So I asked Gandi for how the GDPR exactly forces them to hide their customer's whois data. I haven't got a reply to this yet. So I wonder if somebody on this list knows the background why gandi acts this way and if other registrars do the same. If I get the whois data for some well known domains like: microsoft.com google.com swiss.com credit-suisse.com NONE has 'privacy protect' activated. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog