[ARIN-consult] Consultation on ACSP 2018.3
William Herrin
bill at herrin.us
Mon Apr 2 13:07:12 EDT 2018
On Mon, Apr 2, 2018 at 9:07 AM, John Curran <jcurran at arin.net> wrote:
> On 2 Apr 2018, at 9:00 AM, frnkblk at iname.com wrote:
>
> There’s been some great discussion on this topic. I’d like to suggest the
> following approach:
>
> 1. No auto-redirection at this time
> 2. But stop redirecting https://whois.arin.net to http://whois.arin.net/ui/,
> rather redirect them to https://whois.arin.net/ui. If they chose to go to
> the secure site, being redirected to the insecure site does not seem like a
> good idea.
> 3. Make sure that all links from ARIN’s other sites to whois.arin.net are
> referring to the HTTPS one (that may already be the case, but I don’t know)
> 4. Enable HSTS for whois.arin.net – if a web browser hits it intentionally then
> just keep doing it automatically.
> 5. Provide some subtle feedback (perhaps an extra line/bar at the top of the
> page) to those web browsing the HTTP version of whois.arin.net to alert them
> that they are searching in the clear and provide a link to the secure
> version.
> 6. Develop a long-term goal to migrate programmatic access to HTTPS
>
>
>
> All -
>
> Any specific objections or concerns with ARIN proceeding as proposed
> above?
Hi John,
I agree with points 1, 2, 3 and 5.
I disagree with points 4 and 6 per my analysis here:
http://lists.arin.net/pipermail/arin-consult/2018-March/000969.html
TLDR: core security principle - don't spend more (directly and
indirectly) protecting something than the value of what you're
protecting. HSTS and migration to HTTPS for whois information violates
this core principle resulting in worse, not better security.
Regards,
Bill Herrin
--
William Herrin ................ herrin at dirtside.com bill at herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>
More information about the ARIN-consult
mailing list