Dear Chris, My email was intended to propose having a safer authentication method. I was hoping that RIPE will either : - force users to change their passwords. After 4 years and the RIPE recommendation, 27.000 hashes are still being used on a total of 36.000 without update. Only 25% of the hashes have been updated. - deprecate MD5 in profit of stronger authentication methods. Having 75% of valid hashes in the nature is a concern, I think. Any security researcher who downloaded all the hashes could misuse this information. Regards, -- Pierre Kim pierre.kim.sec@gmail.com @PierreKimSec https://pierrekim.github.io/ On 5/6/15, Christiaan Ottow <chris@6core.net> wrote:
Hi Pierre,
On 04/05/15 22:12, Pierre Kim wrote:
Dear Database Working Group Members,
By reading https://labs.ripe.net/Members/kranjbar/password-management-in-ripe-database , I see : "The MD5 hash is public, when running a single query (not for bulk queries)." I assume this was a known problem but the RIPE didn't alert that all the hashs have been retrieved, although there were some urgency to change the passwords or to use a safer authentication method.
When I discussed it with RIPE NCC Security, I gave a 90 day disclosure policy about this "public" information, starting from the 16 Apr 2015.
What public information exactly do you mean?
The 90 day period can be adjusted by adding more days at the end if RIPE shows a good progress of the migration. I wanted to do responsible disclosure when I saw the RIPE Responsible Disclosure Policy which is a Really Good Thing, I think.
What migration? RIPE has changed the database scheme to hide passwords, recommended all MNTners to change their password, and offers stronger means of authentication. What more do they need to do right now?
According to the RIPE transparency, as recommended by RIPE NCC Security, therefore I am now contacting this working group to work together because deprecation of MD5 is an important change in the RIPE database and it must be debated in a democratic manner.
My analysis is simple: The MD5 authentication is broken for years and it's time to change to a more secure method. I think people needs to be encouraged to move to SSO authentication. Using MD5 now is unsafe and dangerous, especially with unchanged 4 year-old passwords.
Please share your thoughts about this situation. I will be happy to debate with you.
At this point, I'm very curious as to: 1) What information do you plan to disclose in 90 days? 2) What do you expect of RIPE in that period?
-- chris