Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[AFRINIC-rpd] whois.afrinic.net leaks passwords

Sunday Folayan sfolayan at gmail.com
Thu Nov 22 06:18:54 UTC 2012


Hi Adiel,

Filter the display of the MD5 password immediately per BCP. Whether to 
use other passwords can be discussed in Khartoum, but let the filter be 
done ASAP.

In complex statement notation: With Whois do b, then a and/or c in any 
order.

Thanks.

Sunday.

On 22/11/2012 06:50, Adiel Akplogan wrote:
> Hello Guy-Antony,
>
> Thanks for pointing this out.
>
> We are aware of the issue and actually looking into options that
> can be implemented to properly address it. A presentation will
> be deliver on it during AFRINIC-17 in Karthoum.
>
> Our thinking is around a) Encouraging people to use PGP or X.509
> instead of MD-5 b) Doing what you are suggesting and filter
> out the MD-5 encrypted password while displaying mntner queries
> output, and/or c) gradually phase out MD-5 completely to only allow
> PGP and X.509. In my sense a combination of (b) and (c) could be
> the appropriate way to handle this for the long term.
>
> While we consider this as an operational issue to some extend, I'm
> interested to know what is the community take on phasing out MD-5
> completely.
>
> In any case people currently have the choice to use PGP or X.509
> instead of MD-5 as authentication method for their mntner objects.
>   
> Thanks.
>
> - a.
>
>
> On 2012-11-21, at 11:53 AM, Guy Antony Halse <G.halse at ru.ac.za> wrote:
>
>> Hi
>>
>> I'm not sure whether this needs to be a formal policy suggestion, or whether
>> this is just common sense.
>>
>> As things currently stand, whois.afrinic.net leaks authentication
>> information in mntner objects.  Given that MD5 is now considered
>> compromised[1], this is a bad thing(tm).
>>
>> Consider this example from whois.afrinic.net:
>>
>>   guy at walrus:~% whois -h whois.afrinic.net -- '-r rhodes-mnt'
>>   % This is the AfriNIC Whois server.
>>
>>   % Note: this output has been filtered.
>>
>>   % Information related to 'RHODES-MNT'
>>
>>   mntner:         RHODES-MNT
>>   descr:          Rhodes University
>>   admin-c:        RUAC1-AFRINIC
>>   tech-c:         RUTC1-AFRINIC
>>   auth:           MD5-PW $1$YNIwaJCr$o6HscaF6FNVCRsYjIFn1v0
>>   remarks:        Rhodes University Information Technology Division
>>   remarks:        http://www.ru.ac.za/
>>   mnt-by:         RHODES-MNT
>>   source:         AFRINIC # Filtered
>>
>> which leaks an MD5 password in the auth: attribute.
>>
>> Then consider RIPE's output for the equivelent object:
>>
>>   guy at walrus:~% whois -h whois.ripe.net -- '-r rhodes-mnt'
>>   % This is the RIPE Database query service.
>>   % The objects are in RPSL format.
>>   %
>>   % The RIPE Database is subject to Terms and Conditions.
>>   % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>>
>>   % Note: this output has been filtered.
>>   %       To receive output for a database update, use the "-B" flag.
>>
>>   % Information related to 'RHODES-MNT'
>>
>>   mntner:         RHODES-MNT
>>   descr:          Rhodes University
>>   remarks:        see also RHODES-MNT in AfriNIC's database (whois.afrinic.net)
>>   admin-c:        RUZA1-RIPE
>>   admin-c:        RUZA1-RIPE
>>   auth:           MD5-PW # Filtered
>>   mnt-by:         RHODES-MNT
>>   referral-by:    RHODES-MNT
>>   remarks:        Accepted the RIPE Database Terms and Conditions
>>   source:         RIPE # Filtered
>>
>>   % This query was served by the RIPE Database Query Service version 1.42 (WHOIS2)
>>
>> which filters the auth: attribute to remove the MD5 password string, while
>> still maintaining sufficient information to let me know that the object is
>> password protected and indeed has an MD5 password.
>>
>> I would strongly suggest that AfriNIC should be following RIPE's example,
>> and filtering the auth: attribute of the mntner object in WHOIS output.
>>
>> Can someone from AfriNIC comment.  If this needs to be a formal policy
>> proposal, I'm happy to put one together.
>>
>> - Guy
>> -- 
>> Manager: Systems, IT Division, Rhodes University, Grahamstown, South Africa
>> Email: G.Halse at ru.ac.za   Web: http://mombe.org/   IRC: rm-rf at irc.atrum.org
>> *** ANSI Standard Disclaimer ***                                    J.A.P.H
>>
>> [1] http://www.kb.cert.org/vuls/id/836068
>> _______________________________________________
>> rpd mailing list
>> rpd at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo.cgi/rpd
> _______________________________________________
> rpd mailing list
> rpd at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/rpd
>


-- 
--------------------------------------------------------
Sunday Adekunle Folayan
     blog: http://www.sundayfolayan.name.ng
    email: sfolayan at skannet.com.ng, sfolayan at gmail.com
    phone: +234-802-291-2202
    skype: sfolayan
     fcbk: www.facebook.com/sfolayan
    tweet: sfolayan
linkedin: sfolayan
---------------------------------------------------------




More information about the RPD mailing list