[ARIN-consult] Consultation on ACSP 2018.3

Ronald F. Guilmette rfg at tristatelogic.com
Wed Mar 28 18:06:51 EDT 2018


In message <d815a3e6-d493-5f13-532b-9f387df0f8a4 at arin.net>, 
John Curran wrote:

>Question:  Should ARIN automatically redirect user Whois queries made
>via "http" to "https"?
>
>Question:  If ARIN redirects http to https requests, should ARIN then
>use HSTS for web-based Whois queries?

It is difficult to evaluate these proposals in the absence of a bit more
context.

Specifically, before responding, I'd like to put my own simple question,
prefixed by what I hope is a rather obvious observation:

EVEN IF my ARIN WHOIS queries were to be protected (from the proverbial
"prying eyes") IN TRANSIT, it is my assumption that somewhere deep
within the bowels of ARIN, a log record is generated, and logged, for
each such query that I perform.  Anyone with the ability to view such
log records has no need to spy on my WHOIS queries while they are in
transit, as they can just as easily view the corresponding log records.
(In fact it would arguably be easier to just look at the log records.
WHOIS queries in transit are ephemeral, while log records are entirely
less so.)

Wih respect to said log records, I would like to know three things:

    *)  How many people are authorized, specifically, by ARIN, to
        view or access said records?

    *)  What is ARIN's data retention policy with respect to such
        records?

    *)  May either nefarious Russian hackers or the NSA access such
        records, the latter presumably doing so under the auspices of
        a court order or a Presidential finding or directive, secret
        or otherwise?

Speaking as a longtime, constant, and daily user of ARIN WHOIS services, 
I can say that I operate on the basis of assuming the worst at all times,
i.e. that the relevant ARIN log records (a) can be accessed by anyone,
certainly within ARIN staff, and perhaps also by outside contractors
and others, and that (b) ARIN retains copies of all such records forever,
and that (c) unspecified other parties, including but not limited to
law enforcement, the NSA, the CIA, and the occasional foreign hacker
may perhaps be wittingly or unwittingly given access to said records,
by ARIN, either in connection with legal process or otherwise.

That having been said, none of these possibilities keep me up at night.
My hope is that ARIN will not go about, willy nilly, giving data about
my WHOIS queries to the various malefactors who I am gathering data on,
but if they do, there ain't much I can do about it in any event.

The bottom line is that I can easily think of at least a half dozen other
(and far more useful and meaningful) things that I would like to see
ARIN staff spending their limited mental cycles and bandwidth on, rather
than working to secure, in transit, that which will probably never be
entirely secure when it finally arrives at its destination anyway.


Regards,
rfg



More information about the ARIN-consult mailing list