I just found out about optoutprescreen.com which I found linked from creditkarma.com. I suppose that it allows you to submit your information to help cut down on the amount of junk mail that you receive in your mailbox similar to adding yourself to the Do Not Call Registry.
The problem with this site is that it simply asks for your PII (including your SSN) and it provides little to know repudiation for verification. After a little digging I found an article on the FTC Site that at least provides some legitimacy to the site. But let’s review what the site should do to help the lay visitor:
I was unable to identify the true owner of this service other than the information found at the FTC article above and the about us page off optoutprescreen.com. If this is a FTC sponsored initiative then having a redirection from optoutprescreen.com to optout.ftc.gov will go a long way to raise trust with an established web presence. If this is a collaboration between the US Consumer Credit Reporting Companies at the very least there should be bi-directional linkage from optoutprescreen.com to each agency with a return link identifying partnership in this program.
The best that I could find was some text references from Equifax.com stating the use of optoutprescreen.com as a tool to use to help control their use of your information to would be buyers (remember, a credit bureau makes money as an information broker that sells your information to others to make solicitation decisions).
Digital Certificate Validation
Use of a digital certificate of a higher validation than domain validated. Extended Validation is still a bit of a mess for me to recommend given the browser wars and waning support, but every business should opt for an Organization Validated (OV) certificate or similar which signs the information that the issuer validated into the certificate ensuring tamper resistance and repudiation.
Proxy Domain Registration
Use of proxy registration. Why would a legitimate business use proxy information on the domain registration? Proxy information is great to mask personal details but if you’re masking organization details you come off as a scam.
robby@Vierge ~ $ whois -H optoutprescreen.com Domain Name: OPTOUTPRESCREEN.COM Registry Domain ID: 126885936_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2017-01-17T21:18:37Z Creation Date: 2004-08-10T14:52:15Z Registry Expiry Date: 2018-07-12T03:59:59Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: firstname.lastname@example.org Registrar Abuse Contact Phone: 480-624-2505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS1.WEST.COM Name Server: NS3.WEST.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2017-11-26T17:02:09Z <<< For more information on Whois status codes, please visit https://icann.org/epp The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. robby@Vierge ~ $ whois -H -h whois.godaddy.com optoutprescreen.com Domain Name: OPTOUTPRESCREEN.COM Registrar URL: http://www.godaddy.com Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Name Server: NS1.WEST.COM Name Server: NS3.WEST.COM DNSSEC: unsigned For complete domain details go to: http://who.godaddy.com/whoischeck.aspx?domain=OPTOUTPRESCREEN.COM
Domain Proxy services offer a form of identity protection to entities or persons that prefer to keep contact information private yet still must adhere to ICANN rules to maintain proper registrant information. I would not go so far to say that every domain that has proxy information is up to nefarious activities, but I would go as far to say that any domain that intends to provide legitimate, trust based services should pony up and keep a PO Box, contact phone and email address on the domain registration for all to see so that a user could follow up with questions on a poorly exposed web site.
IP Address Space
Use of contractor IP space. The IP space that is hosting the domain name optoutprescreen.com is owned by a NGO: West Corporation. Who are these folks and why are they based out of Omaha, NE? Don’t steaks come from Omaha?
robby@Vierge ~ $ dig optoutprescreen.com +short 18.104.22.168 22.214.171.124 robby@Vierge ~ $ whois -c 126.96.36.199 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '188.8.131.52 - 184.108.40.206' % No abuse contact registered for 220.127.116.11 - 18.104.22.168 inetnum: 22.214.171.124 - 126.96.36.199 netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK descr: IPv4 address block not managed by the RIPE NCC remarks: ------------------------------------------------------ remarks: remarks: You can find the whois server to query, or the remarks: IANA registry to query on this web page: remarks: http://www.iana.org/assignments/ipv4-address-space remarks: remarks: You can access databases of other RIRs at: remarks: remarks: AFRINIC (Africa) remarks: http://www.afrinic.net/ whois.afrinic.net remarks: remarks: APNIC (Asia Pacific) remarks: http://www.apnic.net/ whois.apnic.net remarks: remarks: ARIN (Northern America) remarks: http://www.arin.net/ whois.arin.net remarks: remarks: LACNIC (Latin America and the Carribean) remarks: http://www.lacnic.net/ whois.lacnic.net remarks: remarks: IANA IPV4 Recovered Address Space remarks: http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml remarks: remarks: ------------------------------------------------------ country: EU # Country is really world wide admin-c: IANA1-RIPE tech-c: IANA1-RIPE status: ALLOCATED UNSPECIFIED mnt-by: RIPE-NCC-HM-MNT mnt-lower: RIPE-NCC-HM-MNT mnt-routes: RIPE-NCC-RPSL-MNT created: 2014-11-07T14:14:45Z last-modified: 2015-10-29T15:12:32Z source: RIPE role: Internet Assigned Numbers Authority address: see http://www.iana.org. admin-c: IANA1-RIPE tech-c: IANA1-RIPE nic-hdl: IANA1-RIPE remarks: For more information on IANA services remarks: go to IANA web site at http://www.iana.org. mnt-by: RIPE-NCC-MNT created: 1970-01-01T00:00:00Z last-modified: 2001-09-22T09:31:27Z source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.90 (BLAARKOP)
Granted not everyone can own dedicated IP space especially in a world where converging infrastructure into leased programs (looking at you here Cloud Providers) offer compelling benefits. This point becomes valuable only when everything else fails and look where we are.
About the best thing going for this site is that they demand a TLS connection from a trusted CA. But this site was put up as cheaply as possible and it shows which completely undermines the legitimacy of the program.
Maybe that’s the point after all. Invest in the bare minimum so that no one uses the program, but you’re still offering support for it to abide by requirements asserted by those who would never use it in the first place.
Let’s Recap what should have been done here as what we’re really after is some level of faith that this website is not a gaping phishing site attempting to collect PII information:
- Domain Repudiation: This is simple and comes in a few flavors:
- Purchase an Organization Validated (OV) Digital Certificate. This level of certificate requires the Certificate Authority to verify organization information on a domain and stand by that verification by signing that information into the certificate putting their reputation on the line as only issuing what has been validated.
- Ensure Domain Registrant Information is Public and accurate. This is a requirement of an OV certificate and in this author’s humble opinion, a requirement for any site that wishes to maintain any level of reputation.
- Content Repudiation: Simply put, providing reputation from the content displayed from the site:
- Bi-Directional Linking: Originally one of the single tenants of Search Engine Optimization, a simple act of connecting two properties on the web by linking each within the content of each. Site A provides a link to Site B and Site B provides a link to Site A. Trusting content is a bit more difficult as it requires some form of version control, cryptographic signing, and a method of public key sharing in a variable trust scenario, it does offer a data point that would not otherwise be possible. To put it another way, accept content as is as long as it is not the only piece of data that builds trust. If content is all you have, verify it with another source or recreate the discovery for your own verification.
Also published on Medium.