[arin-tech-discuss] Annoyance on ARIN website w/Firefox
Drake Pallister
drake.pallister at duraserver.com
Wed Mar 7 17:10:20 EST 2012
Hello Brian,
If we're talking about the same thing, this issue is known to me, and
therefore probably everyone else in the country.
I don't profess to be an expert on all variations of all browses, But I can
show you where this issue is coming from. (If it's what I think you're
talking about)
I get that too--sometimes. (when on ARIN's home page) and performing a
lookup of an IP /ASN, or whatever. It's just an extra mouse-click added to
your day.
The ARIN Form's Submit Action is this: (a non-ssl)
<form action="http://whois.arin.net/ui/query.do" method="post"
name="whois_query" class="whoissearch" id="whois_query">
I'm confident it's a browser based issue, because depending upon what
browser I use on which computer. one I.E. doesn't do it and one does.
Firefox does depending on how the specific PC's Firefox is set..
I'd think that ARIN probably wants to have that form submit in a non-ssl
mode for whatever reason or other. Or maybe this was never asked before. I
tend to believe it's because http://whois.arin.net doesn't accept https://
currently.
If you're using Firefox browser, open a URL about:config and scroll down to
security.warn_submit_insecure which you can toggle true or false. You can
also do the same thing in Firefox's Tools/Options menu.
However this seems global, for all sites. There's no "Exceptions" Ah, a
suggestion to Firefox!
But anyhow, if you're using Firefox, open up about:config. There is much
interesting stuff in there. Also, look for not transmitting the referrer
page, which has nothing to do with this subject, but is a concern for many
security/privacy-minded Firefox users out there.
I am assuming you're using firefox, but IE works similar.
I hope ARIN doesn't bang me for posting a link, but this Mozilla forum
posting shows how to do it step by step from the tools/options menu.
http://forums.mozillazine.org/viewtopic.php?f=38&t=665552
If you're doing a lot of lookups then perhaps create a local html page using
ARIN's form action.
Or, via a Linux computer/server, from the command line, run jwhois foo-bar
and you'll get decent results. Naturally your Linux machine needs to have
jwhois installed. Most distro's do, but it's not hard to install it either.
I have also proven that this problem I believe you're having is due to the
"form action" causing a transition from SSL to non-ssl by recreating ARIN's
form on a single html page. For now, it works fine either directly from my
desktop or from a web server. Take a look at this diagnostic html page and
judge for yourself. http://www.duraserver.com/arinsearch.html. Use it to run
a search for an IP, ASN, POC, or whatever. They've all worked for me. View
the page source code, and copy it to your destop if you believe it doesn't
violate ARIN in any way. I doubt if it's a violation of any ARIN reg's
because all it really does is pre-enter the information to be looked up and
sends it to ARIN, from which you'll receive their whois/RWS lookup pages. It
would be sort of like a shortcut if you run it from your desktop. If ARIN
doesn't want it called directly from the Internet, then they would likely
make use of a http_referrer restriction so it could only be accessed from
the locations they decide.
In summary, to get rid of the browser form-submit security warnings from
ever happening, then ARIN would need to make the target of the <form action>
available via SSL. (Or all browsers would need to allow for specific
exemptions for this, on a per-site basis, so you don't have to shut off
security settings that you might want when doing online banking, etc.
I hope I have been of help and hope I'm talking about the same problem you
are experiencing.
Let me know your findings.
Regards,
Drake Pallister
----- Original Message -----
From: "Brian Rak" <brak at gameservers.com>
To: <arin-tech-discuss at arin.net>
Sent: Wednesday, March 07, 2012 1:20 PM
Subject: [arin-tech-discuss] Annoyance on ARIN website w/Firefox
> It seems the ARIN website forces https (which is good), but whois doesn't
> support https. So, when you try to use the 'Search WHOIS' box in the top
> right, you get a warning:
>
> 'Although this page is encrypted, the information you have entered is to
> be sent over an unencrypted connection and could easily be read by a third
> party.
>
> Are you sure you want to continue sending this information?'
>
> Is this a known issue? I guess the only fix would be to make whois
> available on https.
>
> - Brian Rak
> _______________________________________________
> arin-tech-discuss mailing list
> arin-tech-discuss at arin.net
> http://lists.arin.net/mailman/listinfo/arin-tech-discuss
>
More information about the arin-tech-discuss
mailing list