[gnso-rds-pdp-wg] Another perspective on gated whois
Andrew Sullivan
ajs at anvilwalrusden.com
Mon Mar 27 19:16:32 UTC 2017
Thanks for this contribution -- it's useful. A couple nits:
On Mon, Mar 27, 2017 at 02:07:26PM -0500, John Bambenek via gnso-rds-pdp-wg wrote:
> Even if I had a wiretap on the right whois server, whois is over UDP so it can be spoofed. So I can have little confidence in what I get.
Whois is not UDP-based, it's TCP-based. See RFC 3912. None of that
helps, though, because in the current era getting hold of random TCP
connections all over the Internet is a trivial matter anyway, so
there'd be little consequence in knowing what IP address in the world
asked for the data.
> Now I can run an intelligence op, and for the price of one national
> security letter, not only do I know if the adversary looked at my
> stuff, I know exactly WHO did the looking and what IP they came
> from.
It's slightly better, because you can in fact tell not only what IP
they came from but also whether that IP appears to be widely
correlated with the credentials used to make the request.
Of course, it all _also_ means that LEOs and so on who do these
lookups end up leaving some trail of their activity. To me, that's a
good thing, but YMMV.
Best regards.
A
--
Andrew Sullivan
ajs at anvilwalrusden.com
More information about the gnso-rds-pdp-wg
mailing list