[arin-tech-discuss] Annoyance on ARIN website w/Firefox

Brian Rak brak at gameservers.com
Wed Mar 7 17:20:51 EST 2012

I'm sure it's a known issue, but I thought I'd report it in case somehow 
noone at ARIN had noticed it.  I don't consider disabling firefox's 
warning about this to be a great solution.  The warning is definitely 
legitimate, if I'm on my bank's site and they serve me a https page, but 
the login goes through http for some reason, I definitely want to be 
notified in that case.

There's definitely plenty of workarounds, but that wasn't really what I 
was looking for.  This really only bugs me when I forget to go to 
whois.arin.net instead of arin.net.

On 3/7/2012 5:10 PM, Drake Pallister wrote:
> Hello Brian,
> If we're talking about the same thing, this issue is known to me, and 
> therefore probably everyone else in the country.
> I don't profess to be an expert on all variations of all browses, But 
> I can show you where this issue is coming from. (If it's what I think 
> you're talking about)
> I get that too--sometimes. (when on ARIN's home page) and performing a 
> lookup of an IP /ASN, or whatever. It's just an extra mouse-click 
> added to your day.
> The ARIN Form's Submit Action is this: (a non-ssl)
> <form action="http://whois.arin.net/ui/query.do" method="post" 
> name="whois_query" class="whoissearch" id="whois_query">
> I'm confident it's a browser based issue, because depending upon what 
> browser I use on which computer. one I.E. doesn't do it and one does. 
> Firefox does depending on how the specific PC's Firefox is set..
> I'd think that ARIN probably wants to have that form submit in a 
> non-ssl mode for whatever reason or other. Or maybe this was never 
> asked before. I tend to believe it's because http://whois.arin.net 
> doesn't accept https:// currently.
> If you're using Firefox browser, open a URL about:config and scroll 
> down to security.warn_submit_insecure which you can toggle true or 
> false. You can also do the same thing in Firefox's Tools/Options menu.
> However this seems global, for all sites. There's no "Exceptions"  Ah, 
> a suggestion to Firefox!
> But anyhow, if you're using Firefox, open up about:config. There is 
> much interesting stuff in there. Also, look for not transmitting the 
> referrer page, which has nothing to do with this subject, but is a 
> concern for many security/privacy-minded Firefox users out there.
> I am assuming you're using firefox, but IE works similar.
> I hope ARIN doesn't bang me for posting a link, but this Mozilla forum 
> posting shows how to do it step by step from the tools/options menu. 
> http://forums.mozillazine.org/viewtopic.php?f=38&t=665552
> If you're doing a lot of lookups then perhaps create a local html page 
> using ARIN's form action.
> Or, via a Linux computer/server, from the command line,  run jwhois 
> foo-bar and you'll get decent results. Naturally your Linux machine 
> needs to have jwhois installed. Most distro's do, but it's not hard to 
> install it either.
> I have also proven that this problem I believe you're having is due to 
> the "form action" causing a transition from SSL to non-ssl by 
> recreating ARIN's form on a single html page. For now, it works fine 
> either directly from my desktop or from a web server. Take a look at 
> this diagnostic html page and judge for yourself. 
> http://www.duraserver.com/arinsearch.html. Use it to run a search for 
> an IP, ASN, POC, or whatever. They've all worked for me. View the page 
> source code, and copy it to your destop if you believe it doesn't 
> violate ARIN in any way. I doubt if it's a violation of any ARIN reg's 
> because all it really does is pre-enter the information to be looked 
> up and sends it to ARIN, from which you'll receive their whois/RWS 
> lookup pages. It would be sort of like a shortcut if you run it from 
> your desktop. If ARIN doesn't want it called directly from the 
> Internet, then they would likely make use of a http_referrer 
> restriction so it could only be accessed from the locations they decide.
> In summary, to get rid of the browser form-submit security warnings 
> from ever happening, then ARIN would need to make the target of the 
> <form action> available via SSL. (Or all browsers would need to allow 
> for specific exemptions for this, on a per-site basis, so you don't 
> have to shut off security settings that you might want when doing 
> online banking, etc.
> I hope I have been of help and hope I'm talking about the same problem 
> you are experiencing.
> Let me know your findings.
> Regards,
> Drake Pallister
> ----- Original Message ----- From: "Brian Rak" <brak at gameservers.com>
> To: <arin-tech-discuss at arin.net>
> Sent: Wednesday, March 07, 2012 1:20 PM
> Subject: [arin-tech-discuss] Annoyance on ARIN website w/Firefox
>> It seems the ARIN website forces https (which is good), but whois 
>> doesn't support https.  So, when you try to use the 'Search WHOIS' 
>> box in the top right, you get a warning:
>> 'Although this page is encrypted, the information you have entered is 
>> to be sent over an unencrypted connection and could easily be read by 
>> a third party.
>> Are you sure you want to continue sending this information?'
>> Is this a known issue?  I guess the only fix would be to make whois 
>> available on https.
>> - Brian Rak
>> _______________________________________________
>> arin-tech-discuss mailing list
>> arin-tech-discuss at arin.net
>> http://lists.arin.net/mailman/listinfo/arin-tech-discuss

More information about the arin-tech-discuss mailing list