ACSP Suggestion 2015.15: Improvements to SSL Security for whois.arin.net
Author: Frank Bulk
Submitted On: 15 September 2015
Congratulations to the ARIN team for enabling SSL on whois.arin.net! An analysis of the SSL connection (https://dev.ssllabs.com/ssltest/analyze.html?d=whois.arin.net) shows that the servers supports weak Diffie-Hellman (DH) key exchange parameters.
Is that something that could be tweaked to improve security? Could regular checks of ARIN'‘s SSL connection be made, even if it was “only” via free service such as Qualys?
Value to Community: Protects communications made by users of ARIN’s sites and instills confidence in ARIN’s security posture.
Timeframe: Not specified
Status: Open Updated: 29 September 2015
26 September 2015
Thank you for your suggestion, numbered 2015.15 upon confirmed receipt. Upon investigation, we discovered changing the Diffie-Hellman (DH) key parameter is a configuration change that is not currently supported by the vendor-supplied solution we use to front our directory service applications. We are investigating our options for this improvement with our vendor. We will make the change once the vendor delivers a solution that is tested and proven to work.
As part of our third-party security audits, we require analysis and reporting of our SSL-based services.
Thank you for bringing this matter to our attention. This suggestion will remain open until a solution is in place.
Notes: Work pending Vendor updates