[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ARO Security

Subject: ARO Security
From: nicholas.schmidt at controlgroup.com (Nicholas Schmidt)
Date: Mon, 18 May 2015 12:30:04 -0400

I cant find a way to reach out to whoever manages ARO directly so I figure
it would be best to publish this to the list.

We are a group of network operators who are failing at enforcing extremely
basic security in our own applications.

1.) Retrieving an ARO password sends a plain text email of your current
password. Im sure this is minor as its just ARO and none of us would ever
re-use a password in more critical systems.

2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be
trying to use the wildcard for amsl.com

$ openssl s_client -showcerts -connect secretariat.nanog.org:443

CONNECTED(00000003)

depth=0 /OU=Domain Control Validated/CN=*.amsl.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 /OU=Domain Control Validated/CN=*.amsl.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 /OU=Domain Control Validated/CN=*.amsl.com

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

 0 s:/OU=Domain Control Validated/CN=*.amsl.com

   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=
http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate
Authority - G2

Follow-Ups:
- ARO Security
  - From: eric.oosting at gmail.com (Eric Oosting)

Prev by Date: Visualware/Speedtest self-hosting alternatives
Next by Date: Usage of Teredo and IPv6 for P2P on Windows 10 and Xbox One
Previous by thread: survey on performance measurement platforms and related standards
Next by thread: ARO Security
Index(es):
- Date
- Thread