Search RPD Archives
[AFRINIC-rpd] whois.afrinic.net leaks passwords
jrhountomey at gmail.com
jrhountomey at gmail.com
Wed Nov 21 10:04:10 UTC 2012
I support the idea of bcp
On Nov 21, 2012, at 3:52 AM, Douglas Onyango <ondouglas at gmail.com> wrote:
> I agree with Frank here: a policy shouldn't be required as this is an implementaion detail.
>
> AfriNic should take this issue up and resolve it inline with whatever incident and/or change mgt process they have in place.
>
> Regards,
> On Nov 21, 2012 12:34 PM, "Frank Habicht" <geier at geier.ne.tz> wrote:
> >
> > I support this.
> >
> > Personally I hope it won't need a policy.
> > After all we also don't have a policy to tell AfriNIC to run the whois
> > service on port 43.
> > Some technical operations things are just BCP.
> >
> > Frank
> >
> >
> > On 11/21/2012 10:53 AM, Guy Antony Halse wrote:
> > > Hi
> > >
> > > I'm not sure whether this needs to be a formal policy suggestion, or whether
> > > this is just common sense.
> > >
> > > As things currently stand, whois.afrinic.net leaks authentication
> > > information in mntner objects. Given that MD5 is now considered
> > > compromised[1], this is a bad thing(tm).
> > >
> > > Consider this example from whois.afrinic.net:
> > >
> > > guy at walrus:~% whois -h whois.afrinic.net -- '-r rhodes-mnt'
> > > % This is the AfriNIC Whois server.
> > >
> > > % Note: this output has been filtered.
> > >
> > > % Information related to 'RHODES-MNT'
> > >
> > > mntner: RHODES-MNT
> > > descr: Rhodes University
> > > admin-c: RUAC1-AFRINIC
> > > tech-c: RUTC1-AFRINIC
> > > auth: MD5-PW $1$YNIwaJCr$o6HscaF6FNVCRsYjIFn1v0
> > > remarks: Rhodes University Information Technology Division
> > > remarks: http://www.ru.ac.za/
> > > mnt-by: RHODES-MNT
> > > source: AFRINIC # Filtered
> > >
> > > which leaks an MD5 password in the auth: attribute.
> > >
> > > Then consider RIPE's output for the equivelent object:
> > >
> > > guy at walrus:~% whois -h whois.ripe.net -- '-r rhodes-mnt'
> > > % This is the RIPE Database query service.
> > > % The objects are in RPSL format.
> > > %
> > > % The RIPE Database is subject to Terms and Conditions.
> > > % See http://www.ripe.net/db/support/db-terms-conditions.pdf
> > >
> > > % Note: this output has been filtered.
> > > % To receive output for a database update, use the "-B" flag.
> > >
> > > % Information related to 'RHODES-MNT'
> > >
> > > mntner: RHODES-MNT
> > > descr: Rhodes University
> > > remarks: see also RHODES-MNT in AfriNIC's database (whois.afrinic.net)
> > > admin-c: RUZA1-RIPE
> > > admin-c: RUZA1-RIPE
> > > auth: MD5-PW # Filtered
> > > mnt-by: RHODES-MNT
> > > referral-by: RHODES-MNT
> > > remarks: Accepted the RIPE Database Terms and Conditions
> > > source: RIPE # Filtered
> > >
> > > % This query was served by the RIPE Database Query Service version 1.42 (WHOIS2)
> > >
> > > which filters the auth: attribute to remove the MD5 password string, while
> > > still maintaining sufficient information to let me know that the object is
> > > password protected and indeed has an MD5 password.
> > >
> > > I would strongly suggest that AfriNIC should be following RIPE's example,
> > > and filtering the auth: attribute of the mntner object in WHOIS output.
> > >
> > > Can someone from AfriNIC comment. If this needs to be a formal policy
> > > proposal, I'm happy to put one together.
> > >
> > > - Guy
> > >
> >
> > _______________________________________________
> > rpd mailing list
> > rpd at afrinic.net
> > https://lists.afrinic.net/mailman/listinfo.cgi/rpd
> _______________________________________________
> rpd mailing list
> rpd at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/rpd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20121121/69c72e87/attachment.html>
More information about the RPD
mailing list