ACSP Suggestion 2015.15: Improvements to SSL Security for whois.arin.net

Suggestion

Author: Frank Bulk   
Submitted On: 15 September 2015

Description:

Congratulations to the ARIN team for enabling SSL on whois.arin.net! An analysis of the SSL connection (https://dev.ssllabs.com/ssltest/analyze.html?d=whois.arin.net) shows that the servers supports weak Diffie-Hellman (DH) key exchange parameters.

Is that something that could be tweaked to improve security? Could regular checks of ARIN’’s SSL connection be made, even if it was “only” via free service such as Qualys?

Value to Community: Protects communications made by users of ARIN’s sites and instills confidence in ARIN’s security posture.

Timeframe: Not specified

Status: Closed   Updated: 23 February 2021

Tracking Information

ARIN Comment

26 September 2015

Thank you for your suggestion, numbered 2015.15 upon confirmed receipt. Upon investigation, we discovered changing the Diffie-Hellman (DH) key parameter is a configuration change that is not currently supported by the vendor-supplied solution we use to front our directory service applications. We are investigating our options for this improvement with our vendor. We will make the change once the vendor delivers a solution that is tested and proven to work.

As part of our third-party security audits, we require analysis and reporting of our SSL-based services.

Thank you for bringing this matter to our attention. This suggestion will remain open until a solution is in place.

23 February 2021

Thank you for your suggestion, numbered 2015.15 on confirmed receipt, asking that ARIN remove support for weak Diffie-Hellman (DH) key exchange parameters. We have completed this work with our most recent system update.

Because this work has been completed, we are closing your suggestion. Thank you for your participation in the ARIN Consultation and Suggestion Process.