Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[AFRINIC-rpd] whois.afrinic.net leaks passwords

Mark Elkins mje at posix.co.za
Wed Nov 21 09:43:01 UTC 2012 

I'd support that - BCP.

On Wed, 2012-11-21 at 12:28 +0300, Frank Habicht wrote:
> I support this.
> 
> Personally I hope it won't need a policy.
> After all we also don't have a policy to tell AfriNIC to run the whois
> service on port 43.
> Some technical operations things are just BCP.
> 
> Frank
> 
> 
> On 11/21/2012 10:53 AM, Guy Antony Halse wrote:
> > Hi
> > 
> > I'm not sure whether this needs to be a formal policy suggestion, or whether
> > this is just common sense.
> > 
> > As things currently stand, whois.afrinic.net leaks authentication
> > information in mntner objects.  Given that MD5 is now considered
> > compromised[1], this is a bad thing(tm).
> > 
> > Consider this example from whois.afrinic.net:
> > 
> >   guy at walrus:~% whois -h whois.afrinic.net -- '-r rhodes-mnt'
> >   % This is the AfriNIC Whois server.
> > 
> >   % Note: this output has been filtered.
> > 
> >   % Information related to 'RHODES-MNT'
> > 
> >   mntner:         RHODES-MNT
> >   descr:          Rhodes University
> >   admin-c:        RUAC1-AFRINIC
> >   tech-c:         RUTC1-AFRINIC
> >   auth:           MD5-PW $1$YNIwaJCr$o6HscaF6FNVCRsYjIFn1v0
> >   remarks:        Rhodes University Information Technology Division
> >   remarks:        http://www.ru.ac.za/
> >   mnt-by:         RHODES-MNT
> >   source:         AFRINIC # Filtered
> > 
> > which leaks an MD5 password in the auth: attribute.
> > 
> > Then consider RIPE's output for the equivelent object:
> > 
> >   guy at walrus:~% whois -h whois.ripe.net -- '-r rhodes-mnt'
> >   % This is the RIPE Database query service.
> >   % The objects are in RPSL format.
> >   %
> >   % The RIPE Database is subject to Terms and Conditions.
> >   % See http://www.ripe.net/db/support/db-terms-conditions.pdf
> > 
> >   % Note: this output has been filtered.
> >   %       To receive output for a database update, use the "-B" flag.
> > 
> >   % Information related to 'RHODES-MNT'
> > 
> >   mntner:         RHODES-MNT
> >   descr:          Rhodes University
> >   remarks:        see also RHODES-MNT in AfriNIC's database (whois.afrinic.net)
> >   admin-c:        RUZA1-RIPE
> >   admin-c:        RUZA1-RIPE
> >   auth:           MD5-PW # Filtered
> >   mnt-by:         RHODES-MNT
> >   referral-by:    RHODES-MNT
> >   remarks:        Accepted the RIPE Database Terms and Conditions
> >   source:         RIPE # Filtered
> > 
> >   % This query was served by the RIPE Database Query Service version 1.42 (WHOIS2)
> > 
> > which filters the auth: attribute to remove the MD5 password string, while
> > still maintaining sufficient information to let me know that the object is
> > password protected and indeed has an MD5 password.
> > 
> > I would strongly suggest that AfriNIC should be following RIPE's example,
> > and filtering the auth: attribute of the mntner object in WHOIS output.
> > 
> > Can someone from AfriNIC comment.  If this needs to be a formal policy
> > proposal, I'm happy to put one together.
> > 
> > - Guy
> > 
> 
> _______________________________________________
> rpd mailing list
> rpd at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/rpd

-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6147 bytes
Desc: not available
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20121121/e79e3d0b/attachment.bin>

More information about the RPD mailing list