[arin-tech-discuss] Annoyance on ARIN website w/Firefox
brak at gameservers.com
Wed Mar 7 17:20:51 EST 2012
I'm sure it's a known issue, but I thought I'd report it in case somehow
noone at ARIN had noticed it. I don't consider disabling firefox's
warning about this to be a great solution. The warning is definitely
legitimate, if I'm on my bank's site and they serve me a https page, but
the login goes through http for some reason, I definitely want to be
notified in that case.
There's definitely plenty of workarounds, but that wasn't really what I
was looking for. This really only bugs me when I forget to go to
whois.arin.net instead of arin.net.
On 3/7/2012 5:10 PM, Drake Pallister wrote:
> Hello Brian,
> If we're talking about the same thing, this issue is known to me, and
> therefore probably everyone else in the country.
> I don't profess to be an expert on all variations of all browses, But
> I can show you where this issue is coming from. (If it's what I think
> you're talking about)
> I get that too--sometimes. (when on ARIN's home page) and performing a
> lookup of an IP /ASN, or whatever. It's just an extra mouse-click
> added to your day.
> The ARIN Form's Submit Action is this: (a non-ssl)
> <form action="http://whois.arin.net/ui/query.do" method="post"
> name="whois_query" class="whoissearch" id="whois_query">
> I'm confident it's a browser based issue, because depending upon what
> browser I use on which computer. one I.E. doesn't do it and one does.
> Firefox does depending on how the specific PC's Firefox is set..
> I'd think that ARIN probably wants to have that form submit in a
> non-ssl mode for whatever reason or other. Or maybe this was never
> asked before. I tend to believe it's because http://whois.arin.net
> doesn't accept https:// currently.
> If you're using Firefox browser, open a URL about:config and scroll
> down to security.warn_submit_insecure which you can toggle true or
> false. You can also do the same thing in Firefox's Tools/Options menu.
> However this seems global, for all sites. There's no "Exceptions" Ah,
> a suggestion to Firefox!
> But anyhow, if you're using Firefox, open up about:config. There is
> much interesting stuff in there. Also, look for not transmitting the
> referrer page, which has nothing to do with this subject, but is a
> concern for many security/privacy-minded Firefox users out there.
> I am assuming you're using firefox, but IE works similar.
> I hope ARIN doesn't bang me for posting a link, but this Mozilla forum
> posting shows how to do it step by step from the tools/options menu.
> If you're doing a lot of lookups then perhaps create a local html page
> using ARIN's form action.
> Or, via a Linux computer/server, from the command line, run jwhois
> foo-bar and you'll get decent results. Naturally your Linux machine
> needs to have jwhois installed. Most distro's do, but it's not hard to
> install it either.
> I have also proven that this problem I believe you're having is due to
> the "form action" causing a transition from SSL to non-ssl by
> recreating ARIN's form on a single html page. For now, it works fine
> either directly from my desktop or from a web server. Take a look at
> this diagnostic html page and judge for yourself.
> http://www.duraserver.com/arinsearch.html. Use it to run a search for
> an IP, ASN, POC, or whatever. They've all worked for me. View the page
> source code, and copy it to your destop if you believe it doesn't
> violate ARIN in any way. I doubt if it's a violation of any ARIN reg's
> because all it really does is pre-enter the information to be looked
> up and sends it to ARIN, from which you'll receive their whois/RWS
> lookup pages. It would be sort of like a shortcut if you run it from
> your desktop. If ARIN doesn't want it called directly from the
> Internet, then they would likely make use of a http_referrer
> restriction so it could only be accessed from the locations they decide.
> In summary, to get rid of the browser form-submit security warnings
> from ever happening, then ARIN would need to make the target of the
> <form action> available via SSL. (Or all browsers would need to allow
> for specific exemptions for this, on a per-site basis, so you don't
> have to shut off security settings that you might want when doing
> online banking, etc.
> I hope I have been of help and hope I'm talking about the same problem
> you are experiencing.
> Let me know your findings.
> Drake Pallister
> ----- Original Message ----- From: "Brian Rak" <brak at gameservers.com>
> To: <arin-tech-discuss at arin.net>
> Sent: Wednesday, March 07, 2012 1:20 PM
> Subject: [arin-tech-discuss] Annoyance on ARIN website w/Firefox
>> It seems the ARIN website forces https (which is good), but whois
>> doesn't support https. So, when you try to use the 'Search WHOIS'
>> box in the top right, you get a warning:
>> 'Although this page is encrypted, the information you have entered is
>> to be sent over an unencrypted connection and could easily be read by
>> a third party.
>> Are you sure you want to continue sending this information?'
>> Is this a known issue? I guess the only fix would be to make whois
>> available on https.
>> - Brian Rak
>> arin-tech-discuss mailing list
>> arin-tech-discuss at arin.net
More information about the arin-tech-discuss