nanog mailing list archives
ARO Security
From: Nicholas Schmidt <nicholas.schmidt () controlgroup com>
Date: Mon, 18 May 2015 12:30:04 -0400
I cant find a way to reach out to whoever manages ARO directly so I figure it would be best to publish this to the list. We are a group of network operators who are failing at enforcing extremely basic security in our own applications. 1.) Retrieving an ARO password sends a plain text email of your current password. Im sure this is minor as its just ARO and none of us would ever re-use a password in more critical systems. 2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be trying to use the wildcard for amsl.com $ openssl s_client -showcerts -connect secretariat.nanog.org:443 CONNECTED(00000003) depth=0 /OU=Domain Control Validated/CN=*.amsl.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/CN=*.amsl.com verify error:num=27:certificate not trusted verify return:1 depth=0 /OU=Domain Control Validated/CN=*.amsl.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.amsl.com i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU= http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
Current thread:
- ARO Security Nicholas Schmidt (May 18)
- Re: ARO Security Eric Oosting (May 18)
- Re: ARO Security Randy Bush (May 18)
- Re: ARO Security Christopher Morrow (May 18)
- Re: ARO Security Randy Bush (May 18)
- Re: ARO Security Randy Bush (May 18)
- Re: ARO Security Randy Bush (May 18)
- Re: ARO Security William Herrin (May 18)
- Re: ARO Security Eric Oosting (May 18)