Repudiation Musing: optoutprescreen.com

I just found out about optoutprescreen.com which I found linked from creditkarma.com. I suppose that it allows you to submit your information to help cut down on the amount of junk mail that you receive in your mailbox similar to adding yourself to the Do Not Call Registry. The problem with this site is that…

By.

min read

optoutprescreen-certificate-validation

I just found out about optoutprescreen.com which I found linked from creditkarma.com. I suppose that it allows you to submit your information to help cut down on the amount of junk mail that you receive in your mailbox similar to adding yourself to the Do Not Call Registry.

The problem with this site is that it simply asks for your PII (including your SSN) and it provides little to know repudiation for verification. After a little digging I found an article on the FTC Site that at least provides some legitimacy to the site. But let’s review what the site should do to help the lay visitor:

Domain

I was unable to identify the true owner of this service other than the information found at the FTC article above and the about us page off optoutprescreen.com. If this is a FTC sponsored initiative then having a redirection from optoutprescreen.com to optout.ftc.gov will go a long way to raise trust with an established web presence.  If this is a collaboration between the US Consumer Credit Reporting Companies at the very least there should be bi-directional linkage from optoutprescreen.com to each agency with a return link identifying partnership in this program.

The best that I could find was some text references from Equifax.com stating the use of optoutprescreen.com as a tool to use to help control their use of your information to would be buyers (remember, a credit bureau makes money as an information broker that sells your information to others to make solicitation decisions).

Digital Certificate Validation

Use of a digital certificate of a higher validation than domain validated. Extended Validation is still a bit of a mess for me to recommend given the browser wars and waning support, but every business should opt for an Organization Validated (OV) certificate or similar which signs the information that the issuer validated into the certificate ensuring tamper resistance and repudiation.

Proxy Domain Registration

Use of proxy registration. Why would a legitimate business use proxy information on the domain registration? Proxy information is great to mask personal details but if you’re masking organization details you come off as a scam.

robby@Vierge ~
$ whois -H optoutprescreen.com
 Domain Name: OPTOUTPRESCREEN.COM
 Registry Domain ID: 126885936_DOMAIN_COM-VRSN
 Registrar WHOIS Server: whois.godaddy.com
 Registrar URL: http://www.godaddy.com
 Updated Date: 2017-01-17T21:18:37Z
 Creation Date: 2004-08-10T14:52:15Z
 Registry Expiry Date: 2018-07-12T03:59:59Z
 Registrar: GoDaddy.com, LLC
 Registrar IANA ID: 146
 Registrar Abuse Contact Email: abuse@godaddy.com
 Registrar Abuse Contact Phone: 480-624-2505
 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
 Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
 Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
 Name Server: NS1.WEST.COM
 Name Server: NS3.WEST.COM
 DNSSEC: unsigned
 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2017-11-26T17:02:09Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

robby@Vierge ~
$ whois -H -h whois.godaddy.com optoutprescreen.com
Domain Name: OPTOUTPRESCREEN.COM
Registrar URL: http://www.godaddy.com
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Name Server: NS1.WEST.COM
Name Server: NS3.WEST.COM
DNSSEC: unsigned

For complete domain details go to:
http://who.godaddy.com/whoischeck.aspx?domain=OPTOUTPRESCREEN.COM

Domain Proxy services offer a form of identity protection to entities or persons that prefer to keep contact information private yet still must adhere to ICANN rules to maintain proper registrant information.  I would not go so far to say that every domain that has proxy information is up to nefarious activities, but I would go as far to say that any domain that intends to provide legitimate, trust based services should pony up and keep a PO Box, contact phone and email address on the domain registration for all to see so that a user could follow up with questions on a poorly exposed web site.

IP Address Space

Use of contractor IP space. The IP space that is hosting the domain name optoutprescreen.com is owned by a NGO: West Corporation. Who are these folks and why are they based out of Omaha, NE? Don’t steaks come from Omaha?

robby@Vierge ~
$ dig optoutprescreen.com +short
75.78.105.34
75.78.177.191

robby@Vierge ~
$ whois -c 75.78.105.34
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '75.0.0.0 - 75.255.255.255'

% No abuse contact registered for 75.0.0.0 - 75.255.255.255

inetnum: 75.0.0.0 - 75.255.255.255
netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr: IPv4 address block not managed by the RIPE NCC
remarks: ------------------------------------------------------
remarks:
remarks: You can find the whois server to query, or the
remarks: IANA registry to query on this web page:
remarks: http://www.iana.org/assignments/ipv4-address-space
remarks:
remarks: You can access databases of other RIRs at:
remarks:
remarks: AFRINIC (Africa)
remarks: http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks: APNIC (Asia Pacific)
remarks: http://www.apnic.net/ whois.apnic.net
remarks:
remarks: ARIN (Northern America)
remarks: http://www.arin.net/ whois.arin.net
remarks:
remarks: LACNIC (Latin America and the Carribean)
remarks: http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks: IANA IPV4 Recovered Address Space
remarks: http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml
remarks:
remarks: ------------------------------------------------------
country: EU # Country is really world wide
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-RPSL-MNT
created: 2014-11-07T14:14:45Z
last-modified: 2015-10-29T15:12:32Z
source: RIPE

role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2001-09-22T09:31:27Z
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.90 (BLAARKOP)

Granted not everyone can own dedicated IP space especially in a world where converging infrastructure into leased programs (looking at you here Cloud Providers) offer compelling benefits.  This point becomes valuable only when everything else fails and look where we are.

The Rundown

About the best thing going for this site is that they demand a TLS connection from a trusted CA. But this site was put up as cheaply as possible and it shows which completely undermines the legitimacy of the program.

Maybe that’s the point after all. Invest in the bare minimum so that no one uses the program, but you’re still offering support for it to abide by requirements asserted by those who would never use it in the first place.

Let’s Recap what should have been done here as what we’re really after is some level of faith that this website is not a gaping phishing site attempting to collect PII information:

  • Domain Repudiation: This is simple and comes in a few flavors:
    • Purchase an Organization Validated (OV) Digital Certificate.  This level of certificate requires the Certificate Authority to verify organization information on a domain and stand by that verification by signing that information into the certificate putting their reputation on the line as only issuing what has been validated.
    • Ensure Domain Registrant Information is Public and accurate.  This is a requirement of an OV certificate and in this author’s humble opinion, a requirement for any site that wishes to maintain any level of reputation.
  • Content Repudiation: Simply put, providing reputation from the content displayed from the site:
    • Bi-Directional Linking: Originally one of the single tenants of Search Engine Optimization,  a simple act of connecting two properties on the web by linking each within the content of each.  Site A provides a link to Site B and Site B provides a link to Site A.  Trusting content is a bit more difficult as it requires some form of version control, cryptographic signing, and a method of public key sharing in a variable trust scenario, it does offer a data point that would not otherwise be possible.  To put it another way, accept content as is as long as it is not the only piece of data that builds trust.  If content is all you have, verify it with another source or recreate the discovery for your own verification.

Cheers,
Robby


Also published on Medium.