[ARIN-consult] Fwd: [ARIN-Suggestions] NEW ACSP 2018.3: Automatically Redirect Whois Queries to Secure URL

Mel Stotyn Mel.Stotyn at sjrb.ca
Fri Mar 16 15:04:23 EDT 2018 

RE MITM attack on http://

If that can be intercepted, then it presumably can also be redirected to a good spoof of https://arin.net complete with a certificate that matches the spoofed site. If one is concerned about the security then the https:// should be chosen explicitly while still under the control of the requestor. Redirect doesn't seem to buy much in this case.

Opposed.

Mel Stotyn

-----Original Message-----
From: ARIN-consult <arin-consult-bounces at arin.net> On Behalf Of Rob Seastrom
Sent: Friday, March 16, 2018 12:23 PM
To: Owen Delong <owen at delong.com>
Cc: <arin-consult at arin.net> <arin-consult at arin.net>
Subject: Re: [ARIN-consult] Fwd: [ARIN-Suggestions] NEW ACSP 2018.3: Automatically Redirect Whois Queries to Secure URL


This service is available over https:// and http:// and includes services that are made available to non-browser libraries (REST) that hopefully handle redirects properly and probably don't have any kind of preserved state that would honor HSTS.

Like Owen, I don't see a security/privacy issue surrounding the data returned by lookups in a public database, though there may be some sensitivity to the lookup having been made at all.  Depending on the client and the network may be concerns (valid or not) about MITM attacks.

The current setup allows the client to make the sole determination as to whether http, https, or https with certificate pinning is appropriate for their application; I believe forcing the issue with a redirect is a step away from goodness.

For context, I am culturally generally in favor of encryption except where there is a good reason not to.  I was the originator of https://www.arin.net/participate/acsp/suggestions/2015-2.html and noted at the time the ticket was closed that it was not implemented on whois.arin.net and upon reflection didn't have a problem with it because of the likelihood of unintended consequences.

Opposed to the redirection, and without the redirection HSTS discussions are out of scope.

-r

PS:  The overhead of TLS is negligible on modern hardware.


> On Mar 16, 2018, at 1:36 PM, Owen DeLong <owen at delong.com> wrote:
> 
> I’m actually opposed to this.
> 
> First, whois lookups are a query against a public database. All 
> information in the database is currently public, so there is no 
> possibility that the content of a whois lookup is sensitive other 
> than, perhaps, the person sending the query wishes their query to be 
> unknown. In that case, the person sending the query is fully empowered to choose https if desired.
> 
> There is no reason to add SSL overhead to all queries just because.
> 
> Owen
> 
> 
>> Begin forwarded message:
>> 
>> From: ARIN <info at arin.net>
>> Subject: [ARIN-Suggestions] NEW ACSP 2018.3: Automatically Redirect 
>> Whois Queries to Secure URL
>> Date: March 16, 2018 at 10:02:16 PDT
>> To: arin-suggestions at arin.net
>> 
>> On 14 March 2018, we received a new ACSP 2018.3: Automatically 
>> Redirect Whois Queries to Secure URL.
>> 
>> https://www.arin.net/participate/acsp/suggestions/2018-3.html
>> 
>> Description: It appears possible to go to the insecure version of 
>> ARIN's whois by going to http://whois.arin.net. Would ARIN be willing 
>> auto-redirect users to the secure version, https://whois.arin.net, 
>> and additionally, consider using HSTS for this site, too?
>> 
>> Value to Community: Secures all WHOIS lookups, which could sometimes 
>> be potentially sensitive. It's also consistent with what ARIN has 
>> done with most of it's other public-facing websites.
>> 
>> Timeframe: Not specified
>> 
>> **
>> 
>> We are currently evaluating this suggestion, and will provide a 
>> response to the community as soon as it is available.
>> 
>> 
>> Regards,
>> 
>> 
>> Communications and Member Services
>> American Registry for Internet Numbers (ARIN)
>> 
>> _______________________________________________
>> arin-suggestions mailing list
>> arin-suggestions at arin.net
>> http://lists.arin.net/mailman/listinfo/arin-suggestions
> 
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN 
> Consult Mailing List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-consult Please contact the 
> ARIN Member Services Help Desk at info at arin.net if you experience any issues.

_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult Mailing List (ARIN-consult at arin.net).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues.

More information about the ARIN-consult mailing list