Re: [Acme] Issue: Allow ports other than 443
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 26 November 2015 11:01 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A462F1B3952 for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 03:01:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.886
X-Spam-Level:
X-Spam-Status: No, score=-4.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nvSXlSFiGWa for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 03:01:06 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FF341B394E for <acme@ietf.org>; Thu, 26 Nov 2015 03:01:06 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 459CFBE25; Thu, 26 Nov 2015 11:01:04 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JF2KsR5gyhpH; Thu, 26 Nov 2015 11:01:04 +0000 (GMT)
Received: from [134.226.62.192] (cswireless62-192.scss.tcd.ie [134.226.62.192]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 52C79BE35; Thu, 26 Nov 2015 11:01:03 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1448535664; bh=o7AXMJQwEAiUvhzFMli2Z1bQL7jX3ypc7f0t7BiSIM4=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=JTBGoBdbXgHt6kDlFv/yBO5zIPOHUYytrQ4sufcP1g9F+9PaFdIohrFI2mFzJJ6VD Nvyi9+JeCSmajbcU7CA0PsYu2AmN7uj02rRlu820B8TxvvY7+6qGgQ5w8xRekTPUUx CJJwRoEPNmCpbFd5pg1efXq83D++5iBiEReRFabs=
To: Eliot Lear <lear@cisco.com>, Phillip Hallam-Baker <phill@hallambaker.com>
References: <5e9b22a3942d4a39981878b13e4a7752@usma1ex-dag1mb1.msg.corp.akamai.com> <0630035C-E4F6-41AA-A339-7101B448F0FA@vigilsec.com> <CABkgnnUxSwMmOR=QVE-gMvj9dHW6Tk2Z=EO7RDx6E5zVAp_SrQ@mail.gmail.com> <20151124033325.GH18430@eff.org> <56545B4C.3020406@cisco.com> <CAMm+Lwg-MktfPZ0TkRgKsTan2dzDSHuaRsrCcfF-Y-HY6aTKmw@mail.gmail.com> <5656C49E.6070701@cisco.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5656E66B.3000803@cs.tcd.ie>
Date: Thu, 26 Nov 2015 11:00:59 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <5656C49E.6070701@cisco.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="GvVtmpFBknxmQKRqlBPvnPkdhRttH7s3g"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/-lsY8-TGeehK8of-a5WVwPOa_XA>
Cc: Martin Thomson <martin.thomson@gmail.com>, Peter Eckersley <pde@eff.org>, Russ Housley <housley@vigilsec.com>, IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Issue: Allow ports other than 443
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 11:01:08 -0000
On 26/11/15 08:36, Eliot Lear wrote: > Yes. The real issue here is that the cert contains the hostname and not > the port. So one could define a new always-critical certificate extension saying that the cert is only for use with some set of ports. (Or maybe someone's already defined it, I forget;-) That might enable automation in some situations that'd otherwise be tricky. If folks figured that'd be deployed by browsers, it'd be worth doing. It might be worth doing even if only some other kinds of application benefited, but the web (so just-443) would I guess be the most-used value. (Don't worry about whether that's in scope for acme, if it's a dumb idea it won't be done anywhere and if it's not we'll find a venue.) S. > And so running the test on on other than 443 would provide > for what amounts to a privilege escalation attack. > > On 11/26/15 4:18 AM, Phillip Hallam-Baker wrote: >> I am getting really nervous about allowing any port other than 443. >> >> I just did a scan of a very recent clean install of Windows and there >> are a *TON* of Web servers running for apps that didn't mention they >> had one. >> >> The thing is that if I am running a process on any sort of shared >> host, I can pretty easily spawn a server and start applying for certs >> for other domains. Not only can I get .well-known, I can have any host >> name I like. > > > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] Issue: Allow ports other than 443 Salz, Rich
- Re: [Acme] Issue: Allow ports other than 443 Russ Housley
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Douglas Calvert
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Randy Bush
- Re: [Acme] Issue: Allow ports other than 443 Peter Eckersley
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Randy Bush
- Re: [Acme] Issue: Allow ports other than 443 Hugo Landau
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Randy Bush
- Re: [Acme] Issue: Allow ports other than 443 Kathleen Moriarty
- Re: [Acme] Issue: Allow ports other than 443 Yoav Nir
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Niklas Keller
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Niklas Keller
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Peter Eckersley
- Re: [Acme] Issue: Allow ports other than 443 Phillip Hallam-Baker
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Stephen Farrell
- Re: [Acme] Issue: Allow ports other than 443 Yoav Nir
- Re: [Acme] Issue: Allow ports other than 443 Stephen Farrell
- Re: [Acme] Issue: Allow ports other than 443 Rob Stradling
- Re: [Acme] Issue: Allow ports other than 443 Yoav Nir
- Re: [Acme] Issue: Allow ports other than 443 Darren J Moffat
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear