The EU could prepare to ban anonymous registration of domain data in a bid to bolster security and anti-hacking efforts, it emerged.
The new provision was added to the “NIS2” legislation which was adopted by the European Parliament. It aims to fill the loopholes that currently allow registrants to potentially give false contact information, or “whois”, to domain registrars, while expanding the personal information they must provide.
“In order to ensure the availability of accurate, verified and complete domain name registration data, TLD registries and entities providing domain name registration services should be required to collect name registration data.” domain, ”he explains.
“They should aim to ensure the integrity and availability of this data by implementing technical and organizational measures, such as a confirmation process for registrants. In particular, TLD registries and entities providing domain name registration services should establish policies and procedures for the collection and maintenance of accurate, verified and complete registration data, as well as for prevention and control. correction of inaccurate registration data.
In short, the proposals will force registrars to require a valid email address and phone number, in addition to the registrant’s name and physical address, which were previously required.
Privacy activists have warned the proposals could endanger activists by removing online anonymity, but security experts have welcomed the legislative move.
“This change in posture shows how important information about the incumbent can be for defenders. We’ve certainly found other ways to fingerprint actors based on Tactics, Techniques, and Procedures (TTPs), but removing large swathes of areas related to a single individual is much faster when they can actually be removed. related to this individual, and time is running out. increasingly essential, ”said Chad Anderson, Senior Security Researcher at DomainTools.
“For those who say this will be a hit for whistleblowers and activists: that’s hogwash because they should all be using Tor and built-in sites anyway to protect their anonymity.” If anything, it will force their hand to use better operational security. “
Further arguments against the proposals are that cybercriminals will gravitate to registrars outside the EU where there is more opacity in domain registrations.
However, Anderson claimed that was missing the point.
“Defensive work is never about removing threats, it’s about making it so expensive that the threat can’t work,” he said.
“This raises the bar and makes easy cybercrime like compromised business email (BEC) and credential phishing campaigns expensive. Additionally, it reduces the attack zone left to watch as it reduces the number of registrars that attackers can use.