[ARIN-consult] Consultation on ACSP 2018.3

[Rob Seastrom]

> On Mar 29, 2018, at 5:44 AM, Job Snijders <job at ntt.net> wrote:
> 
> On Wed, Mar 28, 2018 at 04:33:22PM -0500, David Farmer wrote:
>> On Wed, Mar 28, 2018 at 4:16 PM, ARIN <info at arin.net> wrote:
>>> ...
>>> Question:  Should ARIN automatically redirect user Whois queries made
>>> via "http" to "https"?
>> 
>> No, ARIN should not automatically redirect Whois queries made via
>> "http" to "https". Insecure Whois queries made via "http", need to be
>> allowed.  
> 
> Do you have any supporting arguments for your statement?

Hi Job,

I suppose I wouldn't have any problems with automatic redirects for anything that had a user-agent that looked like a modern browser.

I did a cursory look and couldn't find the slide deck, but my recollection from a presentation by Mark Kosters is that there are a significant number of things hitting the REST interface that are not browsers; they may even outnumber the human visitors - and it's the same host, whois.arin.net.

Neither you nor I has any idea how well those clients will handle redirects and https.  One would earnestly hope that by and large folks are using standard libraries that will magically do the right thing, yet repeated experiences with password hash dumps wherein a homemade (and cryptographically poor) KDF has been employed shows that the DIY spirit is alive and well and I would not expect it to be any different here.

So there's a balance of harms argument to be had: is forcibly encrypting traffic that has historically been of marginal privacy concern worth breaking client software in the field?  Bear in mind that if someone chooses to use https:// then things will be encrypted just fine; there is nothing forcing the client to be unencrypted when they'd rather be encrypted, and deploying HSTS will make modern browser users sticky to https://.

I submit that David has articulated the right balance to strike and that redirects are a poor idea.  If we advertise for some number of years that we're sunsetting non-https access to whois (if events haven't been overtaken by RDAP at that point), then I'll probably feel differently about this.

Note that I'm generally in favor of encryption.  In January 2015 I submitted an ACSP proposal asking for HSTS where practicable and in October 2015 I mentioned at the members' meeting that HSTS on the REST-Whois seemed to have been overlooked (see https://www.rwhois.net/vault/participate/meetings/reports/ARIN_36/mem_transcript.html ).  I'm just not a fan of intentionally breaking things, even if they're crappy software, without a lot of forethought and deliberate intent.

cheers,

-r