[arin-tech-discuss] Annoyance on ARIN website w/Firefox

Drake Pallister drake.pallister at duraserver.com
Wed Mar 7 17:10:06 EST 2012 

Hello Brian,

If we're talking about the same thing, this issue is known to me, and 
therefore probably everyone else in the country.

I don't profess to be an expert on all variations of all browses, But I can 
show you where this issue is coming from. (If it's what I think you're 
talking about)

I get that too--sometimes. (when on ARIN's home page) and performing a 
lookup of an IP /ASN, or whatever. It's just an extra mouse-click added to 
your day.

The ARIN Form's Submit Action is this: (a non-ssl)
<form action="http://whois.arin.net/ui/query.do" method="post" 
name="whois_query" class="whoissearch" id="whois_query">

I'm confident it's a browser based issue, because depending upon what 
browser I use on which computer. one I.E. doesn't do it and one does. 
Firefox does depending on how the specific PC's Firefox is set..

I'd think that ARIN probably wants to have that form submit in a non-ssl 
mode for whatever reason or other. Or maybe this was never asked before. I 
tend to believe it's because http://whois.arin.net doesn't accept https:// 
currently.

If you're using Firefox browser, open a URL about:config and scroll down to 
security.warn_submit_insecure which you can toggle true or false. You can 
also do the same thing in Firefox's Tools/Options menu.
However this seems global, for all sites. There's no "Exceptions"  Ah, a 
suggestion to Firefox!

But anyhow, if you're using Firefox, open up about:config. There is much 
interesting stuff in there. Also, look for not transmitting the referrer 
page, which has nothing to do with this subject, but is a concern for many 
security/privacy-minded Firefox users out there.

I am assuming you're using firefox, but IE works similar.

I hope ARIN doesn't bang me for posting a link, but this Mozilla forum 
posting shows how to do it step by step from the tools/options menu. 
http://forums.mozillazine.org/viewtopic.php?f=38&t=665552

If you're doing a lot of lookups then perhaps create a local html page using 
ARIN's form action.

Or, via a Linux computer/server, from the command line,  run jwhois foo-bar 
and you'll get decent results. Naturally your Linux machine needs to have 
jwhois installed. Most distro's do, but it's not hard to install it either.

I have also proven that this problem I believe you're having is due to the 
"form action" causing a transition from SSL to non-ssl by recreating ARIN's 
form on a single html page. For now, it works fine either directly from my 
desktop or from a web server. Take a look at this diagnostic html page and 
judge for yourself. http://www.duraserver.com/arinsearch.html. Use it to run 
a search for an IP, ASN, POC, or whatever. They've all worked for me. View 
the page source code, and copy it to your destop if you believe it doesn't 
violate ARIN in any way. I doubt if it's a violation of any ARIN reg's 
because all it really does is pre-enter the information to be looked up and 
sends it to ARIN, from which you'll receive their whois/RWS lookup pages. It 
would be sort of like a shortcut if you run it from your desktop. If ARIN 
doesn't want it called directly from the Internet, then they would likely 
make use of a http_referrer restriction so it could only be accessed from 
the locations they decide.

In summary, to get rid of the browser form-submit security warnings from 
ever happening, then ARIN would need to make the target of the <form action> 
available via SSL. (Or all browsers would need to allow for specific 
exemptions for this, on a per-site basis, so you don't have to shut off 
security settings that you might want when doing online banking, etc.

I hope I have been of help and hope I'm talking about the same problem you 
are experiencing.

Let me know your findings.

Regards,
Drake Pallister


----- Original Message ----- 
From: "Brian Rak" <brak at gameservers.com>
To: <arin-tech-discuss at arin.net>
Sent: Wednesday, March 07, 2012 1:20 PM
Subject: [arin-tech-discuss] Annoyance on ARIN website w/Firefox


> It seems the ARIN website forces https (which is good), but whois doesn't 
> support https.  So, when you try to use the 'Search WHOIS' box in the top 
> right, you get a warning:
>
> 'Although this page is encrypted, the information you have entered is to 
> be sent over an unencrypted connection and could easily be read by a third 
> party.
>
> Are you sure you want to continue sending this information?'
>
> Is this a known issue?  I guess the only fix would be to make whois 
> available on https.
>
> - Brian Rak
> _______________________________________________
> arin-tech-discuss mailing list
> arin-tech-discuss at arin.net
> http://lists.arin.net/mailman/listinfo/arin-tech-discuss
>

More information about the arin-tech-discuss mailing list