Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[AFRINIC-rpd] whois.afrinic.net leaks passwords

Frank Habicht geier at geier.ne.tz
Wed Nov 21 09:28:37 UTC 2012 

I support this.

Personally I hope it won't need a policy.
After all we also don't have a policy to tell AfriNIC to run the whois
service on port 43.
Some technical operations things are just BCP.

Frank


On 11/21/2012 10:53 AM, Guy Antony Halse wrote:
> Hi
> 
> I'm not sure whether this needs to be a formal policy suggestion, or whether
> this is just common sense.
> 
> As things currently stand, whois.afrinic.net leaks authentication
> information in mntner objects.  Given that MD5 is now considered
> compromised[1], this is a bad thing(tm).
> 
> Consider this example from whois.afrinic.net:
> 
>   guy at walrus:~% whois -h whois.afrinic.net -- '-r rhodes-mnt'
>   % This is the AfriNIC Whois server.
> 
>   % Note: this output has been filtered.
> 
>   % Information related to 'RHODES-MNT'
> 
>   mntner:         RHODES-MNT
>   descr:          Rhodes University
>   admin-c:        RUAC1-AFRINIC
>   tech-c:         RUTC1-AFRINIC
>   auth:           MD5-PW $1$YNIwaJCr$o6HscaF6FNVCRsYjIFn1v0
>   remarks:        Rhodes University Information Technology Division
>   remarks:        http://www.ru.ac.za/
>   mnt-by:         RHODES-MNT
>   source:         AFRINIC # Filtered
> 
> which leaks an MD5 password in the auth: attribute.
> 
> Then consider RIPE's output for the equivelent object:
> 
>   guy at walrus:~% whois -h whois.ripe.net -- '-r rhodes-mnt'
>   % This is the RIPE Database query service.
>   % The objects are in RPSL format.
>   %
>   % The RIPE Database is subject to Terms and Conditions.
>   % See http://www.ripe.net/db/support/db-terms-conditions.pdf
> 
>   % Note: this output has been filtered.
>   %       To receive output for a database update, use the "-B" flag.
> 
>   % Information related to 'RHODES-MNT'
> 
>   mntner:         RHODES-MNT
>   descr:          Rhodes University
>   remarks:        see also RHODES-MNT in AfriNIC's database (whois.afrinic.net)
>   admin-c:        RUZA1-RIPE
>   admin-c:        RUZA1-RIPE
>   auth:           MD5-PW # Filtered
>   mnt-by:         RHODES-MNT
>   referral-by:    RHODES-MNT
>   remarks:        Accepted the RIPE Database Terms and Conditions
>   source:         RIPE # Filtered
> 
>   % This query was served by the RIPE Database Query Service version 1.42 (WHOIS2)
> 
> which filters the auth: attribute to remove the MD5 password string, while
> still maintaining sufficient information to let me know that the object is
> password protected and indeed has an MD5 password.
> 
> I would strongly suggest that AfriNIC should be following RIPE's example,
> and filtering the auth: attribute of the mntner object in WHOIS output.
> 
> Can someone from AfriNIC comment.  If this needs to be a formal policy
> proposal, I'm happy to put one together.
> 
> - Guy
>

More information about the RPD mailing list