[179963] in North American Network Operators' Group
ARO Security
daemon@ATHENA.MIT.EDU (Nicholas Schmidt)
Mon May 18 12:30:07 2015
X-Original-To: nanog@nanog.org
Date: Mon, 18 May 2015 12:30:04 -0400
From: Nicholas Schmidt <nicholas.schmidt@controlgroup.com>
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I cant find a way to reach out to whoever manages ARO directly so I figure
it would be best to publish this to the list.
We are a group of network operators who are failing at enforcing extremely
basic security in our own applications.
1.) Retrieving an ARO password sends a plain text email of your current
password. Im sure this is minor as its just ARO and none of us would ever
re-use a password in more critical systems.
2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be
trying to use the wildcard for amsl.com
$ openssl s_client -showcerts -connect secretariat.nanog.org:443
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.amsl.com
i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=
http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate
Authority - G2
