IETF Logo Mail Archive

Re: [Acme] Issue: Allow ports other than 443

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 26 November 2015 11:01 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A462F1B3952 for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 03:01:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.886
X-Spam-Level:
X-Spam-Status: No, score=-4.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nvSXlSFiGWa for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 03:01:06 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FF341B394E for <acme@ietf.org>; Thu, 26 Nov 2015 03:01:06 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 459CFBE25; Thu, 26 Nov 2015 11:01:04 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JF2KsR5gyhpH; Thu, 26 Nov 2015 11:01:04 +0000 (GMT)
Received: from [134.226.62.192] (cswireless62-192.scss.tcd.ie [134.226.62.192]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 52C79BE35; Thu, 26 Nov 2015 11:01:03 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1448535664; bh=o7AXMJQwEAiUvhzFMli2Z1bQL7jX3ypc7f0t7BiSIM4=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=JTBGoBdbXgHt6kDlFv/yBO5zIPOHUYytrQ4sufcP1g9F+9PaFdIohrFI2mFzJJ6VD Nvyi9+JeCSmajbcU7CA0PsYu2AmN7uj02rRlu820B8TxvvY7+6qGgQ5w8xRekTPUUx CJJwRoEPNmCpbFd5pg1efXq83D++5iBiEReRFabs=
To: Eliot Lear <lear@cisco.com>, Phillip Hallam-Baker <phill@hallambaker.com>
References: <5e9b22a3942d4a39981878b13e4a7752@usma1ex-dag1mb1.msg.corp.akamai.com> <0630035C-E4F6-41AA-A339-7101B448F0FA@vigilsec.com> <CABkgnnUxSwMmOR=QVE-gMvj9dHW6Tk2Z=EO7RDx6E5zVAp_SrQ@mail.gmail.com> <20151124033325.GH18430@eff.org> <56545B4C.3020406@cisco.com> <CAMm+Lwg-MktfPZ0TkRgKsTan2dzDSHuaRsrCcfF-Y-HY6aTKmw@mail.gmail.com> <5656C49E.6070701@cisco.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5656E66B.3000803@cs.tcd.ie>
Date: Thu, 26 Nov 2015 11:00:59 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <5656C49E.6070701@cisco.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="GvVtmpFBknxmQKRqlBPvnPkdhRttH7s3g"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/-lsY8-TGeehK8of-a5WVwPOa_XA>
Cc: Martin Thomson <martin.thomson@gmail.com>, Peter Eckersley <pde@eff.org>, Russ Housley <housley@vigilsec.com>, IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Issue: Allow ports other than 443
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 11:01:08 -0000


On 26/11/15 08:36, Eliot Lear wrote:
> Yes.  The real issue here is that the cert contains the hostname and not
> the port. 

So one could define a new always-critical certificate extension
saying that the cert is only for use with some set of ports. (Or
maybe someone's already defined it, I forget;-)

That might enable automation in some situations that'd otherwise
be tricky.

If folks figured that'd be deployed by browsers, it'd be worth
doing. It might be worth doing even if only some other kinds
of application benefited, but the web (so just-443) would I
guess be the most-used value.

(Don't worry about whether that's in scope for acme, if it's
a dumb idea it won't be done anywhere and if it's not we'll
find a venue.)

S.

> And so running the test on on other than 443 would provide
> for what amounts to a privilege escalation attack.
> 
> On 11/26/15 4:18 AM, Phillip Hallam-Baker wrote:
>> I am getting really nervous about allowing any port other than 443.
>>
>> I just did a scan of a very recent clean install of Windows and there
>> are a *TON* of Web servers running for apps that didn't mention they
>> had one.
>>
>> The thing is that if I am running a process on any sort of shared
>> host, I can pretty easily spawn a server and start applying for certs
>> for other domains. Not only can I get .well-known, I can have any host
>> name I like.
> 
> 
> 
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email