Feature request: Validate domain whois information

carlosreq
carlosreq
Community Member

During an import/cleanup session, I found that a few of the websites now belong to someone else - either they were sold, or the domains were abandoned and snatched by fraudsters.

Generally speaking, it would be quite useful if 1pass notified us before login into any site whose whois information has changed since the last time. It's a yellow/red flag (at least for me).


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's an interesting idea, but not something that could feasibly be done. We are not a registrar, and what you're asking for essentially, in order for it to be in any way accurate, would be similar to the EV certificate process, where we'd be verifying ownership of websites. We'd need a whole team to do just that, and it would be an ongoing, ever-escalating process with no end in sight that we'd be committing ourselves to, and it would not be possible for it to be completely reliable. There are a LOT of websites out there changing ownership every day -- or simply changing the business name without any ownership stake changing hands, getting a new certificate with a slightly different name (LLC, Inc.) etc. You could do it the cheap/dumb (i.e. automated static name checks) way, but that generated even more problems, false positives/negatives, misidentification, etc. For example, if you've been using 1Password for a while, you used to go to agilebits.com for that. But that now redirects to 1password.com. We didn't sell the company, or even really change the company name; 1Password is just the name that people know, so we're using that everywhere as our main web presence now, marketing, etc.

    Ultimately you could have the same problems you're describing even if 1Password did what you're asking, but you'd also have a false sense of security thinking that 1Password could reliably determine for you which websites to trust and which you should not. I think it might be more useful/feasible if web browsers did that though since they're the ones actually interacting with the website (1Password does not; it just send the URL to the OS, which in turn sends it to the browser). Something to consider. :)

  • carlosreq
    carlosreq
    Community Member

    @brenty I don't think I explained myself correctly then.
    You could just keep a hash of the certificate along the website, and if it has changed report it to the user. That's all. Has been there a change in the certificate since the last time the user accessed the website?

  • ag_ana
    ag_ana
    1Password Alumni

    @carlosreq:

    Certificates are updated for many reasons, even absolutely normal ones such as when a certificate expires and it's renewed. In this case, there would be nothing informative to report to users. But I think I see what you are suggesting :+1:

  • carlosreq
    carlosreq
    Community Member

    Thanks @ag_ana . Yes, there's legit reasons for certs being replaced of course. Otherwise all the browsers would report changes automatically :-)

    I'd like 1password, after all a key ingredient in my security toolbox, to do some work here. Or maybe a different unrelated extension would be better?

This discussion has been closed.