We spent $20 to achieve RCE and accidentally became the admins of .mobi

Original Article ↗ Hacker News Discussion ↗

Overall reaction to the research

  • Many found the write-up highly entertaining, “journey-like,” and scary in its implications.
  • People are struck by how a $20 expired domain and a legacy WHOIS server name can yield massive attack surface, including potential RCE inside CA tooling.
  • Some readers initially misread the intro as if the researchers were injecting vulnerabilities; after reading carefully, they clarified it was about exploiting existing bugs.

WHOIS, PKI, and TLS trust chain fragility

  • WHOIS is criticized as plaintext, unsigned, and still inexplicably used by CAs for domain verification via email/phone/fax to WHOIS contacts.
  • Several note that these issues are not “TLS bugs” but weaknesses in the roots of trust: WHOIS, DNS, BGP, and email.
  • Certificate Authorities still have “blessed” methods that depend on WHOIS; some see this as negligent given modern threats.
  • Certificate Transparency and multi-perspective validation are mentioned as partial mitigations, but doubts remain about effectiveness against sophisticated BGP hijacks.

DNS, DNSSEC, BGP, and unfinished infrastructure

  • DNS is seen as a systemic weak link: susceptible to BGP hijacking, lacking universal DNSSEC, and essential to DV certificates.
  • DNSSEC is debated: some view it as failed or marginal due to low adoption; others say it helps but isn’t required by the CA Baseline Requirements.
  • IPv6, DNSSEC, QUIC, RPKI, etc. are cited as “half-finished” global migrations stalled by politics, legacy gear, and weak incentives.
  • There’s disagreement on whether the current DNS+PKI system is “very trustworthy” or only “adequately trustworthy” for consumer use.

PHP, eval, and software quality

  • The phpWhois eval-based parsing is widely mocked as egregious; commenters note safer language features and patterns existed even in PHP.
  • Broader debate: some say modern PHP is fine and stigma is outdated; others cite long-standing design flaws and libraries with security landmines.
  • Parallel concerns are raised about other ecosystems (C/C++, JavaScript) and the general tendency to shove untrusted strings into interpreters or shells.

Domain lifecycle and expiration risk

  • Letting important domains expire is widely labeled negligent, especially when used in protocols or tooling.
  • Several argue that once a domain is used in production, you are effectively committed to paying for it “forever,” due to hardcoded references and user expectations.
  • Others point out real-world cases where expired domains were taken over and repurposed (ads, porn, SEO spam), harming reputation and security.

Security philosophy and realism

  • Some claim “there is no such thing as computer security” on the Internet; all connected data should be treated as at least semi-public.
  • Others strongly disagree, arguing that security has improved over decades and that well-run organizations can maintain robust defenses.
  • There is shared concern that threat models are often too optimistic, and that the effort required to break systems is trending down while attack automation rises.