[arin-ppml] API Key Security Issue
John Sweeting
jsweeting at arin.net
Thu Dec 1 16:36:05 EST 2022
Just wanted to add that given the circumstances ARIN felt it was necessary to warn those using MAIL_FROM validation from publicly, published addresses. ARIN is open to receiving suggestions through the ARIN ACSP process if people have other approaches to suggest.
On 12/1/22, 2:37 PM, "ARIN-PPML on behalf of Jon Worley" <arin-ppml-bounces at arin.net on behalf of jonw at arin.net> wrote:
Hi Frank,
I'll start by defining "authorized users" as any web user who's linked to a point of contact handle that's specified as an administrative or technical contact on your Org ID.
The only way to prevent processing of templates (1) and API calls (2) is to make sure no authorized user has an active API key (a shared secret generated and put into the template/call to identify the user). You can't directly do this. You can't view each authorized user and confirm they have no active API keys; you'd have to set a policy that asks that no authorized user has an active API key. There's also no switch to disable API keys. Were you to do this, the only way authorized users could do things would be via the web site (3). Again, though, you'd have to enforce this on your side. That being said, if you trust your authorized users to not create API keys, this would somewhat accomplish what you're asking to do.
A note: you CAN prevent processing of email templates based solely on MAIL-FROM by asking your authorized users not to add an email address to an active API key. Again, enforced by you. Note also that there's no requirement to have personal contact information publicly visible. You may have all points of contact be role contacts; each user can then link to those role contacts. The web account contact information is not publicly visible.
There is no way to prevent authorized users from making changes via the web site (3). You'd have to remove them as an authorized user to stop them from making changes via the web.
Now, a caveat: we do have contact types other than admin/tech that can restrict authorization. Abuse and NOC contacts are display-only; web users linked only to those contacts cannot do anything other than edit their own contact information. They’re just publicly displayed with your records. We also have routing contacts and DNS contacts which are restricted to actions related to routing (IRR, RPKI, etc) and DNS (rDNS, DNSSEC, etc) respectively. The same restrictions as noted above apply; this just limits the sphere of authorized actions to routing/DNS.
Hope that answers your questions. We left a message with a callback number in case you want to set up a call to discuss further.
Thanks & best regards,
Jon Worley
Senior Technology Architect
American Registry for Internet Numbers (ARIN)
On 11/30/22, 11:35 AM, "ARIN-PPML on behalf of Frank Bulk" <arin-ppml-bounces at arin.net on behalf of frnkblk at iname.com> wrote:
We received an email today about the risk of using an email address that is
publicly visible in WHOIS for our registered MAIL FROM authentication email
address.
Is there a way to turn off/turn on the following options:
1. email templates for changing records2.
2. API
3. ARIN web GUI
Regards,
Frank Bulk
Premier Communications
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact info at arin.net if you experience any issues.
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact info at arin.net if you experience any issues.
More information about the ARIN-PPML
mailing list