[ARIN-consult] Fwd: [ARIN-Suggestions] NEW ACSP 2018.3: Automatically Redirect Whois Queries to Secure URL

Fri Mar 16 14:23:16 EDT 2018

This service is available over https:// and http:// and includes services that are made available to non-browser libraries (REST) that hopefully handle redirects properly and probably don't have any kind of preserved state that would honor HSTS.

Like Owen, I don't see a security/privacy issue surrounding the data returned by lookups in a public database, though there may be some sensitivity to the lookup having been made at all.  Depending on the client and the network may be concerns (valid or not) about MITM attacks.

The current setup allows the client to make the sole determination as to whether http, https, or https with certificate pinning is appropriate for their application; I believe forcing the issue with a redirect is a step away from goodness.

For context, I am culturally generally in favor of encryption except where there is a good reason not to.  I was the originator of https://www.arin.net/participate/acsp/suggestions/2015-2.html and noted at the time the ticket was closed that it was not implemented on whois.arin.net and upon reflection didn't have a problem with it because of the likelihood of unintended consequences.

Opposed to the redirection, and without the redirection HSTS discussions are out of scope.

-r

PS:  The overhead of TLS is negligible on modern hardware.

> On Mar 16, 2018, at 1:36 PM, Owen DeLong <owen at delong.com> wrote:
> 
> I’m actually opposed to this.
> 
> First, whois lookups are a query against a public database. All information in the
> database is currently public, so there is no possibility that the content of a whois
> lookup is sensitive other than, perhaps, the person sending the query wishes their
> query to be unknown. In that case, the person sending the query is fully empowered
> to choose https if desired.
> 
> There is no reason to add SSL overhead to all queries just because.
> 
> Owen
> 
> 
>> Begin forwarded message:
>> 
>> From: ARIN <info at arin.net>
>> Subject: [ARIN-Suggestions] NEW ACSP 2018.3: Automatically Redirect Whois Queries to Secure URL
>> Date: March 16, 2018 at 10:02:16 PDT
>> To: arin-suggestions at arin.net
>> 
>> On 14 March 2018, we received a new ACSP 2018.3: Automatically Redirect
>> Whois Queries to Secure URL.
>> 
>> https://www.arin.net/participate/acsp/suggestions/2018-3.html
>> 
>> Description: It appears possible to go to the insecure version of ARIN's
>> whois by going to http://whois.arin.net. Would ARIN be willing
>> auto-redirect users to the secure version, https://whois.arin.net, and
>> additionally, consider using HSTS for this site, too?
>> 
>> Value to Community: Secures all WHOIS lookups, which could sometimes be
>> potentially sensitive. It's also consistent with what ARIN has done with
>> most of it's other public-facing websites.
>> 
>> Timeframe: Not specified
>> 
>> **
>> 
>> We are currently evaluating this suggestion, and will provide a response
>> to the community as soon as it is available.
>> 
>> 
>> Regards,
>> 
>> 
>> Communications and Member Services
>> American Registry for Internet Numbers (ARIN)
>> 
>> _______________________________________________
>> arin-suggestions mailing list
>> arin-suggestions at arin.net
>> http://lists.arin.net/mailman/listinfo/arin-suggestions
> 
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.