Search RPD Archives
[AFRINIC-rpd] whois.afrinic.net leaks passwords
Adiel Akplogan
adiel at afrinic.net
Thu Nov 22 05:50:57 UTC 2012
Hello Guy-Antony,
Thanks for pointing this out.
We are aware of the issue and actually looking into options that
can be implemented to properly address it. A presentation will
be deliver on it during AFRINIC-17 in Karthoum.
Our thinking is around a) Encouraging people to use PGP or X.509
instead of MD-5 b) Doing what you are suggesting and filter
out the MD-5 encrypted password while displaying mntner queries
output, and/or c) gradually phase out MD-5 completely to only allow
PGP and X.509. In my sense a combination of (b) and (c) could be
the appropriate way to handle this for the long term.
While we consider this as an operational issue to some extend, I'm
interested to know what is the community take on phasing out MD-5
completely.
In any case people currently have the choice to use PGP or X.509
instead of MD-5 as authentication method for their mntner objects.
Thanks.
- a.
On 2012-11-21, at 11:53 AM, Guy Antony Halse <G.halse at ru.ac.za> wrote:
> Hi
>
> I'm not sure whether this needs to be a formal policy suggestion, or whether
> this is just common sense.
>
> As things currently stand, whois.afrinic.net leaks authentication
> information in mntner objects. Given that MD5 is now considered
> compromised[1], this is a bad thing(tm).
>
> Consider this example from whois.afrinic.net:
>
> guy at walrus:~% whois -h whois.afrinic.net -- '-r rhodes-mnt'
> % This is the AfriNIC Whois server.
>
> % Note: this output has been filtered.
>
> % Information related to 'RHODES-MNT'
>
> mntner: RHODES-MNT
> descr: Rhodes University
> admin-c: RUAC1-AFRINIC
> tech-c: RUTC1-AFRINIC
> auth: MD5-PW $1$YNIwaJCr$o6HscaF6FNVCRsYjIFn1v0
> remarks: Rhodes University Information Technology Division
> remarks: http://www.ru.ac.za/
> mnt-by: RHODES-MNT
> source: AFRINIC # Filtered
>
> which leaks an MD5 password in the auth: attribute.
>
> Then consider RIPE's output for the equivelent object:
>
> guy at walrus:~% whois -h whois.ripe.net -- '-r rhodes-mnt'
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> % To receive output for a database update, use the "-B" flag.
>
> % Information related to 'RHODES-MNT'
>
> mntner: RHODES-MNT
> descr: Rhodes University
> remarks: see also RHODES-MNT in AfriNIC's database (whois.afrinic.net)
> admin-c: RUZA1-RIPE
> admin-c: RUZA1-RIPE
> auth: MD5-PW # Filtered
> mnt-by: RHODES-MNT
> referral-by: RHODES-MNT
> remarks: Accepted the RIPE Database Terms and Conditions
> source: RIPE # Filtered
>
> % This query was served by the RIPE Database Query Service version 1.42 (WHOIS2)
>
> which filters the auth: attribute to remove the MD5 password string, while
> still maintaining sufficient information to let me know that the object is
> password protected and indeed has an MD5 password.
>
> I would strongly suggest that AfriNIC should be following RIPE's example,
> and filtering the auth: attribute of the mntner object in WHOIS output.
>
> Can someone from AfriNIC comment. If this needs to be a formal policy
> proposal, I'm happy to put one together.
>
> - Guy
> --
> Manager: Systems, IT Division, Rhodes University, Grahamstown, South Africa
> Email: G.Halse at ru.ac.za Web: http://mombe.org/ IRC: rm-rf at irc.atrum.org
> *** ANSI Standard Disclaimer *** J.A.P.H
>
> [1] http://www.kb.cert.org/vuls/id/836068
> _______________________________________________
> rpd mailing list
> rpd at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/rpd
More information about the RPD
mailing list