IETF Logo Mail Archive

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

Richard Barnes <rlb@ipv.sx> Fri, 13 November 2015 13:56 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 783021A8864 for <acme@ietfa.amsl.com>; Fri, 13 Nov 2015 05:56:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F1IVWheYAd7b for <acme@ietfa.amsl.com>; Fri, 13 Nov 2015 05:56:44 -0800 (PST)
Received: from mail-yk0-x229.google.com (mail-yk0-x229.google.com [IPv6:2607:f8b0:4002:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F3901A8862 for <acme@ietf.org>; Fri, 13 Nov 2015 05:56:43 -0800 (PST)
Received: by ykba77 with SMTP id a77so146301329ykb.2 for <acme@ietf.org>; Fri, 13 Nov 2015 05:56:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv_sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KMpwjrHst35swwTGPGkal9m2iFSuC4ZTSKHSiqV5xUk=; b=lr/YwC2b7lrBvoKFx3ybEyXjwC7dTqbOm6gkttX1D6c6gbwgNg6PIxVJs71HyO7rvY fAJgQ6x1g+InLvOxxR1UZmDQ5E9Tz7pEjxZQleV6IqqpYWl3WBG8+y4E2RK6bMSobjrU PH7l4Q8IpjIJaikYc/qnPAvDfeapemp9zrXD0vdjmbweHBO3ew6WJbteLzM7wEpXkfqn uMfGre1b7SX7IIGpzGTIbuMc4wuchpd4agIEfQK7ZuyEISaPQYzLnbKP5Az4SoV80R4u 5ziH4C4WVzM3UGUVwG2tmdvF5/LzxXbK2Kh5KTSRp1mypC8ggFT7Pz8I28c1JIW/qk4J oUEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=KMpwjrHst35swwTGPGkal9m2iFSuC4ZTSKHSiqV5xUk=; b=CWZ+RA2CV/5EsKS4QrnFzyeWJNeSHkDm55p1AEbr7dFUAnlDuJ7BBp/0A6dT1Dms1Z bHolU/dygKfB0v1rI24PNRNnEu1t/YAJYNY7t1iVzcjpuXFdbKRz2kFyhYCUKW4lEjPq L1UvNEzvPc9Ignnb/x/wbo30KrSiMhixM/baQT9L9DlMZIIPV/+YzPOKQwWlwkEsljMy ncE2s0BNgI5CXh0wetbApjDR5Jd9v1CVUWfpumOdBZUART7p59vhi2RDMLrpCzC+oor5 r5I8cXyKYVC/pojBj9TDBCk/KbsJcE634aZopTz2A50rDREp6G0JtUHjCX3abZp3bZ5l VNzQ==
X-Gm-Message-State: ALoCoQn4eo3JwszaQt8yI8lxzoxQO2MPC0v7i4wheZNVHR4O6jJcoBNO+8XAJDbJ2EC89cdC50dX
MIME-Version: 1.0
X-Received: by 10.129.39.17 with SMTP id n17mr21251608ywn.36.1447423003198; Fri, 13 Nov 2015 05:56:43 -0800 (PST)
Received: by 10.31.58.14 with HTTP; Fri, 13 Nov 2015 05:56:43 -0800 (PST)
In-Reply-To: <CANUQDCg6xK3esWSWbM3j8p+ywDBrVa+_4bofHtymsYf0SPeFbw@mail.gmail.com>
References: <20151113004436.GB18430@eff.org> <CABkgnnU5EzaPA4o7OgnTBpSQCZxjD+QsSV=4_L2rOBeFAoauKA@mail.gmail.com> <20151113011259.GC18430@eff.org> <CANUQDCg6xK3esWSWbM3j8p+ywDBrVa+_4bofHtymsYf0SPeFbw@mail.gmail.com>
Date: Fri, 13 Nov 2015 08:56:43 -0500
Message-ID: <CAL02cgS5Fz7Z9i7xheMU+ANF0ow4a=Uw-SDdtYYrvMt3hsjSVA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Niklas Keller <me@kelunik.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/-Q0dprA1GYh9yb8dW7CP_gg6XTc>
Cc: Peter Eckersley <pde@eff.org>, Martin Thomson <martin.thomson@gmail.com>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Content-Type and file extensions for HTTP01 challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2015 13:56:45 -0000

Like I said before, the question here is not dropped file protection.
That's something that admins need to prevent explicitly.  (If you're
allowing untrusted clients to write to .well-known, they can already
hijack your domain in several ways [1].)  The question here is whether
we need to allow file extensions to avoid issues in deployment with
some servers.

I would still like to avoid adding a file extension, but supposing we
did, what would it look like?  We can't just have the client
unilaterally add an extension without telling the server, since the
server needs to know what URI to query to get the validation response.
ISTM that the right answer here would be to generalize and have the
client specify the file name within .well-known/acme-challenge/ and
send it to the server in its response.

I'm not crazy about that solution, but I could probably live with it
if we decide that it's too hard for admins to hack around having a
standard name.  The only additional threat scenario that occurs to me
is if there's some name within .well-known/acme-challenge/ that an
untrusted client could co-opt into serving his challenge response
(e.g., a simlink to untrusted).

--Richard

[1] http://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml#well-known-uris-1

On Fri, Nov 13, 2015 at 2:28 AM, Niklas Keller <me@kelunik.com> wrote:
> Once we add an extension, there will be default mime types in server
> implementations for it for any webroot file. Where's the gain then? A
> dropped file will just use the configured type. If you want to keep the
> protection, we'll have to check the content type but don't allow an
> extension, which would be bad for some servers to configure as others
> pointed out, mainly IIS.
>
> Regards, Niklas
>
> 2015-11-13 2:12 GMT+01:00 Peter Eckersley <pde@eff.org>:
>>
>> I should have added another option, 3b, drop the Content-Type
>> restriction but allow file extensions.
>>
>> Sounds like that would be a win on IIS.
>>
>> On Thu, Nov 12, 2015 at 05:05:53PM -0800, Martin Thomson wrote:
>> > On 12 November 2015 at 16:44, Peter Eckersley <pde@eff.org> wrote:
>> > > But is 3 the best answer?
>> >
>> > Of those presented, I think so.  I know that this isn't a great answer
>> > (it's bad already, so bad must be OK), but being able to drop things
>> > into .well-known opens a raft of other interesting attacks.
>> >
>> > More seriously, I think that the other options all have deployment
>> > complications that far outweigh the marginal benefit that extra
>> > checking might provide.
>> >
>> > _______________________________________________
>> > Acme mailing list
>> > Acme@ietf.org
>> > https://www.ietf.org/mailman/listinfo/acme
>> >
>>
>> --
>> Peter Eckersley                            pde@eff.org
>> Chief Computer Scientist          Tel  +1 415 436 9333 x131
>> Electronic Frontier Foundation    Fax  +1 415 436 9993
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email