[ARIN-consult] Fwd: [ARIN-Suggestions] NEW ACSP 2018.3: Automatically Redirect Whois Queries to Secure URL

David Farmer farmer at umn.edu
Fri Mar 16 23:14:27 EDT 2018 

I would like to see HSTS applied to "whois.arin.net" that way if you
successfully get to the secure version of the site from an HSTS supporting
user agent then on you will be forced to use the secure version and won't
accidentally (or because of an MITM attack) go to the insecure version in
the future. However, if your user agent doesn't support HTTPS, should still
be able to get to the insecure site. Therefore, the insecure site should
not automatically redirect to the secure version of the site, as insecure
access to whois.arin.net should (maybe even must) be allowed.

Maybe a compromise would be to have well-known browser user agents
presented with a warning banner that says you are accessing the site
insecurely and secure access is available via a link provided. Then if the
user decides to go to the secure site, they will get an HSTS policy if
their browser supports it. Other user agents (presumably programs accessing
the API) should not get the additional warning banner unless an encryption
status warning flag can be added to the API.

I'll also note all links embedded in response pages seem to point to secure
pages, even with an insecure query. Maybe the links provided to an insecure
query should point to insecure pages.
Also, it seems that "https://whois.arin.net/" redirects you to "
http://whois.arin.net/ui" the insecure site, that redirect should probably
send you to "https://whois.arin.net/ui" instead, the secure site.

To summarize;
1. Insecure access to whois.arin.net should (maybe even must) be maintained.
2. Secure access to whois.arin.net should be augmented with HSTS policy to
prevent MITM attacks for user agents that support HSTS.
3. Secure queries should provide secure responses, vice-versa, insecure
quires should provide insecure responses.
4. Possibly a warning banner could be provided when accessing the insecure
site with well-known browsers, allowing users to decide to use the secure
site and possibly get HSTS protections in the future, but by their choice,
not automatically.

Thanks

On Fri, Mar 16, 2018 at 12:36 PM, Owen DeLong <owen at delong.com> wrote:

> I’m actually opposed to this.
>
> First, whois lookups are a query against a public database. All
> information in the
> database is currently public, so there is no possibility that the content
> of a whois
> lookup is sensitive other than, perhaps, the person sending the query
> wishes their
> query to be unknown. In that case, the person sending the query is fully
> empowered
> to choose https if desired.
>
> There is no reason to add SSL overhead to all queries just because.
>
> Owen
>
>
> Begin forwarded message:
>
> *From: *ARIN <info at arin.net>
> *Subject: **[ARIN-Suggestions] NEW ACSP 2018.3: Automatically Redirect
> Whois Queries to Secure URL*
> *Date: *March 16, 2018 at 10:02:16 PDT
> *To: *arin-suggestions at arin.net
>
> On 14 March 2018, we received a new ACSP 2018.3: Automatically Redirect
> Whois Queries to Secure URL.
>
> https://www.arin.net/participate/acsp/suggestions/2018-3.html
>
> Description: It appears possible to go to the insecure version of ARIN's
> whois by going to http://whois.arin.net. Would ARIN be willing
> auto-redirect users to the secure version, https://whois.arin.net, and
> additionally, consider using HSTS for this site, too?
>
> Value to Community: Secures all WHOIS lookups, which could sometimes be
> potentially sensitive. It's also consistent with what ARIN has done with
> most of it's other public-facing websites.
>
> Timeframe: Not specified
>
> **
>
> We are currently evaluating this suggestion, and will provide a response
> to the community as soon as it is available.
>
>
> Regards,
>
>
> Communications and Member Services
> American Registry for Internet Numbers (ARIN)
>
> _______________________________________________
> arin-suggestions mailing list
> arin-suggestions at arin.net
> http://lists.arin.net/mailman/listinfo/arin-suggestions
>
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>



-- 
===============================================
David Farmer               Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20180316/6fbfee77/attachment.html>

More information about the ARIN-consult mailing list