Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[AFRINIC-rpd] whois.afrinic.net leaks passwords

Viv Padayatchy viv.padayatchy at cybernaptics.mu
Thu Nov 22 14:00:58 UTC 2012 

I agree with Sunday.

Let's fix the anomaly first. For the rest, we have more time to
discuss...and debate!

Thanks to Guy for pointing this out btw.

Rgds

Viv


-----Original Message-----
From: rpd-bounces at afrinic.net [mailto:rpd-bounces at afrinic.net] On Behalf Of
Sunday Folayan
Sent: 22 November 2012 10:19
To: rpd at afrinic.net
Subject: Re: [AFRINIC-rpd] whois.afrinic.net leaks passwords

Hi Adiel,

Filter the display of the MD5 password immediately per BCP. Whether to use
other passwords can be discussed in Khartoum, but let the filter be done
ASAP.

In complex statement notation: With Whois do b, then a and/or c in any
order.

Thanks.

Sunday.

On 22/11/2012 06:50, Adiel Akplogan wrote:
> Hello Guy-Antony,
>
> Thanks for pointing this out.
>
> We are aware of the issue and actually looking into options that can 
> be implemented to properly address it. A presentation will be deliver 
> on it during AFRINIC-17 in Karthoum.
>
> Our thinking is around a) Encouraging people to use PGP or X.509 
> instead of MD-5 b) Doing what you are suggesting and filter out the 
> MD-5 encrypted password while displaying mntner queries output, and/or 
> c) gradually phase out MD-5 completely to only allow PGP and X.509. In 
> my sense a combination of (b) and (c) could be the appropriate way to 
> handle this for the long term.
>
> While we consider this as an operational issue to some extend, I'm 
> interested to know what is the community take on phasing out MD-5 
> completely.
>
> In any case people currently have the choice to use PGP or X.509 
> instead of MD-5 as authentication method for their mntner objects.
>   
> Thanks.
>
> - a.
>
>
> On 2012-11-21, at 11:53 AM, Guy Antony Halse <G.halse at ru.ac.za> wrote:
>
>> Hi
>>
>> I'm not sure whether this needs to be a formal policy suggestion, or 
>> whether this is just common sense.
>>
>> As things currently stand, whois.afrinic.net leaks authentication 
>> information in mntner objects.  Given that MD5 is now considered 
>> compromised[1], this is a bad thing(tm).
>>
>> Consider this example from whois.afrinic.net:
>>
>>   guy at walrus:~% whois -h whois.afrinic.net -- '-r rhodes-mnt'
>>   % This is the AfriNIC Whois server.
>>
>>   % Note: this output has been filtered.
>>
>>   % Information related to 'RHODES-MNT'
>>
>>   mntner:         RHODES-MNT
>>   descr:          Rhodes University
>>   admin-c:        RUAC1-AFRINIC
>>   tech-c:         RUTC1-AFRINIC
>>   auth:           MD5-PW $1$YNIwaJCr$o6HscaF6FNVCRsYjIFn1v0
>>   remarks:        Rhodes University Information Technology Division
>>   remarks:        http://www.ru.ac.za/
>>   mnt-by:         RHODES-MNT
>>   source:         AFRINIC # Filtered
>>
>> which leaks an MD5 password in the auth: attribute.
>>
>> Then consider RIPE's output for the equivelent object:
>>
>>   guy at walrus:~% whois -h whois.ripe.net -- '-r rhodes-mnt'
>>   % This is the RIPE Database query service.
>>   % The objects are in RPSL format.
>>   %
>>   % The RIPE Database is subject to Terms and Conditions.
>>   % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>>
>>   % Note: this output has been filtered.
>>   %       To receive output for a database update, use the "-B" flag.
>>
>>   % Information related to 'RHODES-MNT'
>>
>>   mntner:         RHODES-MNT
>>   descr:          Rhodes University
>>   remarks:        see also RHODES-MNT in AfriNIC's database
(whois.afrinic.net)
>>   admin-c:        RUZA1-RIPE
>>   admin-c:        RUZA1-RIPE
>>   auth:           MD5-PW # Filtered
>>   mnt-by:         RHODES-MNT
>>   referral-by:    RHODES-MNT
>>   remarks:        Accepted the RIPE Database Terms and Conditions
>>   source:         RIPE # Filtered
>>
>>   % This query was served by the RIPE Database Query Service version 
>> 1.42 (WHOIS2)
>>
>> which filters the auth: attribute to remove the MD5 password string, 
>> while still maintaining sufficient information to let me know that 
>> the object is password protected and indeed has an MD5 password.
>>
>> I would strongly suggest that AfriNIC should be following RIPE's 
>> example, and filtering the auth: attribute of the mntner object in WHOIS
output.
>>
>> Can someone from AfriNIC comment.  If this needs to be a formal 
>> policy proposal, I'm happy to put one together.
>>
>> - Guy
>> --
>> Manager: Systems, IT Division, Rhodes University, Grahamstown, South
Africa
>> Email: G.Halse at ru.ac.za   Web: http://mombe.org/   IRC:
rm-rf at irc.atrum.org
>> *** ANSI Standard Disclaimer ***
J.A.P.H
>>
>> [1] http://www.kb.cert.org/vuls/id/836068
>> _______________________________________________
>> rpd mailing list
>> rpd at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo.cgi/rpd
> _______________________________________________
> rpd mailing list
> rpd at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/rpd
>


--
--------------------------------------------------------
Sunday Adekunle Folayan
     blog: http://www.sundayfolayan.name.ng
    email: sfolayan at skannet.com.ng, sfolayan at gmail.com
    phone: +234-802-291-2202
    skype: sfolayan
     fcbk: www.facebook.com/sfolayan
    tweet: sfolayan
linkedin: sfolayan
---------------------------------------------------------

_______________________________________________
rpd mailing list
rpd at afrinic.net
https://lists.afrinic.net/mailman/listinfo.cgi/rpd

More information about the RPD mailing list