Numerous fraudulent TLS/SSL certificates enabling ownership of any .mobi domain could have been provided to threat actors through a .mobi domain's outdated WHOIS server domain, SC Media reports.
Nearly 2.5 million WHOIS queries have been sent to the whois[.]dotmobiregistry[.]net, which has been retired before December, just days after the purchase of domain, indicating lapses in tooling updates, according to a report from watchTowr researchers, who bought the expired server domain. Moreover, queries to the outdated WHOIS server were from governments, cybersecurity firms, universities, and TLS/SSL certificate authorities. While initially intended to shed light on the security risks stemming from abandoned domains, such findings have emphasized persistent gaps in TLS/SSL Certificate Authorities, noted watchTowr researchers.
"Our research has demonstrated that trust placed in this process by governments and authorities worldwide should be considered misplaced at this stage, in our opinion," said researchers.