liz writes stuff down
7Jul/154

Who is WHOIS: a brief biography of Internet user privacy

If you look up the registration details for my personal (and currently non-commercial) website, you'll see

Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email:
   9E75215858B04E82BCC8D2E235410D8E.PROTECT@WHOISGUARD.COM

because I register lizdenys.com by proxy. When I first registered lizdenys.com over five years ago, I used proxy registration because I value my privacy, and I continue to do so.

Starting in mid-2013, 282,867 domains registered by eNom via Google Apps had their hidden registration information made public. On April 11, 2014, I noticed lizdenys.com was among them. Having my personal information freely available online to everyone wasn't just theoretical anymore. I am lucky that most of that information is now outdated and that the worst that happened to me was that a slew of recruiters contacted me through the previously unreleased number in my WHOIS record. (I have to admit I'm probably about as impressed as I am creeped out that recruiters admitted to finding that phone number through a WHOIS lookup.) My domain is again protected through a proxy registration.

But ICANN, the global domain name authority, is considering a proposal to disallow proxy registration services for commercial websites. Currently, lizdenys.com isn't and doesn't look like a commercial site, but it could very easily become one. If I needed to put ads on my website to cover hosting costs, lizdenys.com could be considered commercial. If I finished and published my cookbook, Counter Productive, and promoted it here, lizdenys.com would almost certainly be considered commercial.

But the problem with the WHOIS database runs deeper than what should or should not qualify as commercial and whether or not commercial domains should be allowed to use proxy registration services.

To understand the WHOIS database, we have to start with its origins - before the Internet. ARPANET, an early packet switching network whose technologies became the foundation of the Internet, was a closed network for the purpose of supporting government research. Personal and commercial use was discouraged.

ARPANET Directory collected the identities of its users, along with their workplace address, phone number, and network mailbox, and provided this information to other users. As described in RFC 812 (1982), the WHOIS protocol and Identification Data Base were originally designed to provide an "online directory look-up equivalent to the ARPANET Directory". WHOIS was created to have a very specific purpose of connecting those supporting government research more readily, but did not provide information that was not previously available to its users.

In 1984, MILNET, the part of ARPANET used for unclassified Department of Defense traffic, was physically separated from ARPANET for security reasons, but the two networks continued to communicate. RFC 954 (1985) described a natural evolution for the WHOIS Database - that it should continue to include sites that were on the now independent MILNET. The purpose of WHOIS was again scoped to identifying the locations of network names supporting government research, and it still did not provide information that was not otherwise available to its users.

In 2004, RFC 3912 updated the protocol but did not state changes to the scope of the database. By this time, the Internet had expanded from only connecting Department of Defense researchers to also including personal and commercial web endeavors. The WHOIS Database expanded with it, despite no stated change to its purpose, from physical sites of machines passing traffic on a government network to also including personal information about people using an ISP to physically host their site somewhere other than their home address.

During the early days of electronic commerce in the mid-1990s, most participating individuals did not have to worry about their personal information being a part of the WHOIS database. For most sellers, the only WHOIS records for their site were those of their online store platform, such as Viaweb (founded in 1995, later bought by Yahoo! to become Yahoo! Store) and eBay (founded in 1994). Even medium-sized sellers didn't own their own domain names until later in the dot-com era, and individual sellers followed even later. Contact information for e-commerce was handled in other means. While WHOIS records were expanding beyond the needs of the ARPANET Database, they still tended to catalog only major organizations making up the network, not every website owner by their personal information.

In the last two decades, an increasing number of individuals sell through their own domains, where they have the freedom to customize the purchasing experience for their products. Many more individuals, such as myself, have personal domains that will probably venture into partially commercial territory someday by showing ads or promoting their work. Each of these domain owners is also required to be in the WHOIS directory - either they must give their home address, create an alternate address possibly to be used solely for domain registration, or use a proxy registration service. (Most domain owners I know use both proxy registration and an alternate address underneath, like a PO Box, though obtaining an alternate address costs much more than a domain name, a proxy registration service, hosting, and SSL certificates combined.) It's a recent phenomenon for domains to be owned by individuals instead of large companies and government agencies. Proxy registration service is, effectively, a workaround for how WHOIS was not designed to handle this.

The Internet of 2015 isn't the Internet of 2004 or 1994 or 1985 or 1982, and we deserve better than the WHOIS system designed 33 years ago.

That's a lofty undertaking that isn't currently in the works, but the threat of removing proxy registration for commercial websites is immediate. ICANN's working group has called for public comment on this issue - you can send your comments by emailing comments-ppsai-initial-05may15@icann.org and clicking the required confirmation when ICANN replies that they have received your response. I've written in, and I hope you will, too.

18Aug/141

An update on Keybase verification

Keybase updated their verification methods to include a command line method that relies on echo, gpg, perl, and curl. I really like this so-called "hardcore mode" because it uses only tools I already trust - I don't have to install anything from Keybase. The process involves running a script they provide, and you get to read through it and see exactly what it will do.

This actually happened a few months ago, but I just used it to verify my Keybase identity. I'm excited to see Keybase improve the web of trust.

31Mar/14Off

Refusing to verify myself: I am liz on Keybase.io.

Keybase seeks to be a "public directory of publicly auditable public keys" with simpler usernames than PGP and verified account linking to popular sites such as Twitter and GitHub. This is awesome because "PGP for humans" is long overdue and because I snatched up the namespace liz.

Linking my verified public PGP key with Keybase was easy enough by using gpg on a trusted machine and copying into their web client. I associated my PGP key with fingerprint 89CB 0766 5EB4 2515 EE7F 3FAA E0B9 3B4A 4E8E A664 to the username "liz", but this doesn't establish much in the way of my identity.

PGP's standard for establishing identity, the web of trust, is complicated and non-intuitive - I trust my friend Nelson's key, Nelson trusts Anders's key, Anders trusts Alex's key, and Alex trusts Ceres's key, so naturally, I should believe 9D06 536F FD85 F747 8846 CAAD 7688 4EEA 6E6D 80F4 is Ceres. Instead of relying on trusting a chain of signatures, the bread and butter of Keybase's directory is using accounts on popular and personal sites to establish identity. While this is arguably insecure because such accounts can be compromised (though so can PGP keys), I already have mappings from people to those accounts and am inclined to believe that their keys belong to them after they've established those accounts on Keybase.

Unfortunately, I couldn't find a way to securely establish @redroselet, lizdenys on GitHub, or lizdenys.com as "liz". Uploading a client-encrypted copy of my private key was right out - if a malicious attacker com­pro­mis­es Keybase's soft­ware, they'll have access to my key and could get my passphrase the next time I type it. The only other option is the Keybase command line client, which is already more appealing to me because I love living my life inside a terminal (really).

The Keybase command line client installer depends on npm. The machine I trust with my PGP keys is running Ubuntu 12.04.4 LTS (Precise Pangolin), which is supported until October 2017. The version of node in apt is 0.6.12, which is older than the minimum required version to install keybase. This is unfortunate because apt-get authenticates packages as an entity I trust because I trust my operating system. If I install a later version of node, I either need to trust another party, whom I may not be able to easily verify as trustworthy, or build npm from source myself, which requires that I understand how the node source code and a packaging system I've never seen before works to my satisfaction. Beyond that, I couldn't easily figure out if npm authenticates packages. It doesn't seem particularly safe for me to trust my valuable PGP keys to this system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So I'm liz on Keybase.io, and I'm refusing to verify myself.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJTOYAgAAoJEOC5O0pOjqZkiK8QAIhBS85fxa/W3q9yQUEKCuMy
sWwWSaSEDDj494p86Rh6IvBMJfNxkkCLrW8RJr03Y4v2mCkCQ/n6i03ro2AvKZbt
bHoDPL+dfqA5DVU7LOmy6WNXkX77eXGYkOAkWeWt/VLE9ZRmuGJJYXlvs04mgU1k
hj1eN7eBP5VR6+Q4kse6o8+a/Yr71YE4w/4BWQbnL3vgqGnrmP836rbx1RnoEI5t
2+yYX++piIasbT1RJtbetJwcR2SBBpFlll9B1QFAIqxxJE+ccBzxXnwyW7OTQsFf
ykMl0v2REFjCGaxyrluuVz6ZiXEu1FYYuO6TdJGUN3s3loRZ6a4MaF6u0l3qtNDi
uVAQm5RK5lS6nt5W+cWkIZNtTewFItX8IvTx7MOpE5hdB+Qvj6IKQqkEYyrY+r43
drR3gYklQUAAoZwWlnjdkUSxYEM9/SO/AW6c5awJUXB1mcn5qCDXjsVioLWYtKDo
fraKvZc0xMUktRBVG7e/8t1zu1O/ixvOo6aLMyuVIfsspy5XhXbR4STHBJzFOMoK
3AMpPIATdWFJOn35tZXWgjd7QFE46nTqZgK0co2QY60aWO2oI8lI9YLVMwHm6vyJ
vhEZGyaJ9MPN5vbWc4tdjCNzU7tv1zUyUJNLtBQ1yWUaCJldQYW8AO1wUNpzbk79
RYEUUgRtrPKkb4Cdh/09
=s/8d
-----END PGP SIGNATURE-----