399129 - WHOIS link on SSL error pages

Status: RESOLVED WONTFIX

(Core :: Security: PSM, enhancement)

Description

[Biju]

At present SSL error page is a dead end page with no links to anywhere.

Please provide a GUI/mouse-click-able/pull-down-able
mechanism to at least see WHOIS info of the related sites.
ie, 
  a) the site user typed in
  b) site of certificate if it is different from user typed
  c) site to which page being redirected 
  d) CA for the error certificate 

If WHOIS provider is configurable through about:config it will great..

This also good to educate user about WHOIS facility.
Which can be used for other things also.

Comment 1

[Daniel Veditz [:dveditz]]

There's an extension for getting whois type information("Domain Info"); I don't know that it's all that popular. I use it occasionally but more often find myself using the old command-line stand-bys. I can't see the average user wanting this information or even knowing what it is.

I do wish the error page had a link to the cert details though, so people who do know how to use whois or are trying to debug the site can take a peek. But I think I saw that request covered in a different bug.

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

What, exactly, is the value of the Whois record to this dialog?
Is it the requestor's intent to promote users second-guessing CAs, 
and to train users in Domain Validation?

The process of attempting to validate a cert request via Whois is called 
"Domain Validation" (DV).  
It is the weakest of all methods for validating SSL certs.  
Using DV, people have successfully registered domains to Mickey Mouse.
Extended Validation (EV) was created as a response to the inadequate
identification done by/for DV.  Mozilla played a role in exposing the
inadequacy of DV, and in getting the EV effort started.
IMO, it is NOT in Mozilla's interest to begin to train its users to apply
DV techniques to otherwise invalid certs.  

If there is an extension for that, then users who wish to use DV to the 
exclusion of all else may do so with that extension.  
But IMO, Mozilla products should not promote DV.

Comment 3

[Biju]

(In reply to comment #2)
> What, exactly, is the value of the Whois record to this dialog?
> Is it the requestor's intent to promote users second-guessing CAs, 

NO, IFAIK no one use WHOIS for validating SSL certs.  
It was not my intention to promote DV.

Many times WHOIS gives contact info. 
Which can be used to contact webadmin to tell about SSL issue.
Currently the problem is a DEAD END page.
even the proposed way also dont give a method for finding webowners contact info

Example: say if SSL at https://etrade.com/ is invalid there is noway for user get contact info off eTrade. As always their non-SSL site http://etrade.com/ redirect to the https site

But if one can check WHOIS, many times you get other method communication like phone, fax, e-mail or snail-mail address
ie, following from 
http://dns411.com/cgi-bin/whois.pl?pageid=swhois&whois=etrade.com
http://whois.domaintools.com/etrade.com

        E*Trade Group Inc
        Mark Stallcop
        4500 Bohannon Drive
        Menlo Park, CA 94025
        US
        mstallcop@etrade.com
        1--6503316000  Fax: 1--6503316000


Now dont say above info dont have any value to an average user.
Many times only intention to visit a companies website will be to get ph#/address.

Comment 4

[Johnathan Nightingale [:johnath]]

Making those pages easier to understand is critical, and text-based changes are being discussed in 398718.  I understand the desire to hook up whois information here, because it's seen as a repository of at least sometimes-useful contact information, and as Dan mentions, there are extensions (albeit maybe not broadly deployed) that do similar things already.

WHOIS, though, from what I understand, is a world of hurt.  Even if you dump the raw reply so that you don't have to deal with the parsing headaches, most WHOIS services have explicit terms of use that reject automated queries and anyhow would be all the way dead if Firefox users started flocking to them in a major way.  This is further exacerbated by the generally poor quality of the information in such databases, particularly outside the "big 3" TLDs.  Moreover, the information in whois records is not strongly verified, so that in cases where deception is taking place (which is much of the reason the error pages, and the dialogs that preceded them, exist) WHOIS information will actually help carry off that deception.

I freely admit that this is anecdotal stuff, from developers who have tried such things in the past, but it roughly corresponds to my own experiences with the protocol as well.

As a good example of some of the problems, here's what I get when I ask whois.net's web portal for facebook.com:

-- SNIP --
WHOIS information for: facebook.com:

[whois.tucows.com]
IP Address: 128.121.95.55
Maximum Daily connection limit reached. Lookup refused.

Verio Inc. - Growing Your Business, One Click At A Time

-- END SNIP--


When I try to route around that IP blockage by just using command line whois (Mac OS X) I get:

-- SNIP --
johnath$ whois facebook.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.


FACEBOOK.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
FACEBOOK.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
FACEBOOK.COM

To single out one record, look it up with "xxx", where xxx is one of the
of the records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.


>>> Last update of whois database: Thu, 11 Oct 2007 08:56:02 EDT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

-- END SNIP --

After a couple more steps (= style query, also useless, then chaining that to their whois provider instead of my client default) I do get a Palo Alto address, which sounds promising.  Let's try ebay.ie in Ireland:

-- SNIP --

johnath$ whois ebay.ie

% Rights restricted by copyright; http://www.domainregistry.ie/copyright.html
% Do not remove this notice

domain:      ebay.ie
descr:       eBay International A.G
descr:       Body Corporate (Ltd,PLC,Company)
descr:       Registered Trade Mark Name
admin-c:     ABD140-IEDR
tech-c:      IAD1-IEDR
renewal:     09-April-2008
status:      Active
nserver:     sjc-dns1.ebaydns.com
nserver:     sjc-dns2.ebaydns.com
nserver:     smf-dns1.ebaydns.com
source:      IEDR

person:      Susan Kawaguchi - Hostmaster
nic-hdl:     ABD140-IEDR
source:      IEDR

person:      Hea Jin Thomas
nic-hdl:     IAD1-IEDR
source:      IEDR

-- END SNIP --

No spam this time, but hardly useful information either, and a copyright notice that, like the other whois site terms of use, may or may not allow us to do anything with this information.

I wish WHOIS was useful data, it just feels like it isn't sufficiently useful to be a part of our shipped UI - and that it could indeed be actively detrimental in some cases.  None of which, of course, is to say that the current error pages don't need help.

Comment 5

[Biju]

My original request is only a link/button to a WHOIS provider site.
With a possibility of about:config entry to configure URL
So no parsing whois result text or complex GUI needed

I see everybody suggesting an extension, 
one can just create a bookmarklet to avoid ext overhead like

javascript:location = 'http://dns411.com/cgi-bin/whois.pl?pageid=swhois&whois=' + location.host


or configurable like

javascript:(function(host){
  var providerURL = 'http://dns411.com/cgi-bin/whois.pl?pageid=swhois&whois=%s';
  var whoisURL = providerURL.split(/%S/i).join(host);
  location = whoisURL;
})(location.host)


(In reply to comment #4)
> No spam this time, but hardly useful information either,
> and a copyright notice that, like the other whois site terms of use, 
> may or may not allow us to do anything with this information.

copyright will not be an issue as we are only redirecting user to an existing online whois provider, which user can switch to any of his choice.
(PS: Like Mozilla do with built-in Search Provides, if Mozilla want to collect money from the default WHOIS provider also, that is fine too)


> I wish WHOIS was useful data, it just feels like it isn't sufficiently useful
> to be a part of our shipped UI - 

Again I am repeating, this enhancement request does not contain any request for big GUI change. 
Only a button will be fine.
Only 

Comment 6

[Kai Engert [:KaiE:]]

reassign bug owner.
mass-update-kaie-20120918