ARO Security

• Previous message (by thread): ARO Security
• Next message (by thread): ARO Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, May 18, 2015 at 12:30 PM, Nicholas Schmidt <
nicholas.schmidt at controlgroup.com> wrote:

> I cant find a way to reach out to whoever manages ARO directly so I figure
> it would be best to publish this to the list.
>

Nicholas,

It's normally a good idea to email any questions you have to
nanog-support at nanog.org. They should always get you an answer or point you
in the correct direction.

We are a group of network operators who are failing at enforcing extremely
> basic security in our own applications.
>
> 1.) Retrieving an ARO password sends a plain text email of your current
> password. Im sure this is minor as its just ARO and none of us would ever
> re-use a password in more critical systems.
>

This is a known problem and I assure you NANOG is working with their vendor
to address it.


>
> 2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be
> trying to use the wildcard for amsl.com


I'm curious what is going on, but I wonder if it doesn't have something to
do with the openssl command you've entered below.

When using firefox, chrome, or safari from my laptop and internet explorer
from within a VM, I'm being offered the *.nanog.org wildcard cert, not an
amsl.com cert. I checked a popular online ssl certificate checker and
similarly received the proper certificate.

Are you receiving a certificate error of some type in your browser? If so,
let's take the conversation off of nanog to spare the list.

-e


>
> $ openssl s_client -showcerts -connect secretariat.nanog.org:443
>
> CONNECTED(00000003)
>
> depth=0 /OU=Domain Control Validated/CN=*.amsl.com
>
> verify error:num=20:unable to get local issuer certificate
>
> verify return:1
>
> depth=0 /OU=Domain Control Validated/CN=*.amsl.com
>
> verify error:num=27:certificate not trusted
>
> verify return:1
>
> depth=0 /OU=Domain Control Validated/CN=*.amsl.com
>
> verify error:num=21:unable to verify the first certificate
>
> verify return:1
>
> ---
>
> Certificate chain
>
>  0 s:/OU=Domain Control Validated/CN=*.amsl.com
>
>    i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=
> http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate
> Authority - G2
>

• Previous message (by thread): ARO Security
• Next message (by thread): ARO Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]