Re: [Acme] ACME vulnerabilities in SimpleHTTP due to common webservers' default virtual host semantics
Peter Eckersley <pde@eff.org> Fri, 08 January 2016 19:56 UTC
Return-Path: <pde@mail2.eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6772D1B2B5E for <acme@ietfa.amsl.com>; Fri, 8 Jan 2016 11:56:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5a1IH-kO7BoG for <acme@ietfa.amsl.com>; Fri, 8 Jan 2016 11:56:41 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0A5D1B2B65 for <acme@ietf.org>; Fri, 8 Jan 2016 11:56:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=mlby5zYALWV6bgaydIAli1eRVGewVYL44Gc6n6Rboj4=; b=FSDcvUYpOIvJnFCX4BtNqXTJsV3PwEwQ3SgU0Nh+euqN8c2ii3u256Q3cm+LjLZc0WraMx6asfwr94WVBngMEyUaY9qayfIIzHTE4450ZDwUM0Ks1miGRKmoeh4EXvP5ZXTgHFs+i5OI5qFNASB7ePXbRllKMm8HkMJO+aLcWKg=;
Received: ; Fri, 08 Jan 2016 11:56:39 -0800
Date: Fri, 08 Jan 2016 11:56:39 -0800
From: Peter Eckersley <pde@eff.org>
To: Niklas Keller <me@kelunik.com>
Message-ID: <20160108195639.GP18430@eff.org>
References: <CANUQDCjc2pyD19pC+8F4dhommuaOtf=JpJWOYAh6He3RNK8+Xg@mail.gmail.com> <20160108172709.GA29864@al> <20160108182325.GM18430@eff.org> <CANUQDChqJeCJKY0o9DUTS9SrhwpnkUcf9VUqBGy4nt+N8YJVbA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CANUQDChqJeCJKY0o9DUTS9SrhwpnkUcf9VUqBGy4nt+N8YJVbA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/35Sqnx1uhowmbg55HA_TmfcNaY8>
Cc: IETF ACME <acme@ietf.org>, Peter Wu <peter@lekensteyn.nl>
Subject: Re: [Acme] ACME vulnerabilities in SimpleHTTP due to common webservers' default virtual host semantics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2016 19:56:45 -0000
On Fri, Jan 08, 2016 at 08:42:57PM +0100, Niklas Keller wrote: > > The current language describing it in the spec is terrible and needs to > > be rewritten, but it's quite simple: add an extra :443 vhost entry to > > your server config, serving a self-signed cert created to pass the > > challenge. > > > Unfortunately, this requires a server configuration reload. http-01 is > still a lot easier, it doesn't require any configuration change. I think > it's best to allow http-01 over HTTPS on port 443 if port 80 is not > reachable. This should eliminate the vulnerability, but allow verifying > HTTPS-only sites with http-01. That's pretty corner case-y behaviour for a very specialised use case (server *must* have port 80 firewalled, and cannot possibly perform a graceful server reload). Are there other voices in favour of special casing DV behaviour for that use case? -- Peter Eckersley pde@eff.org Chief Computer Scientist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Wu
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Niklas Keller
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Eckersley
- [Acme] ACME vulnerabilities in SimpleHTTP due to … Niklas Keller
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Niklas Keller
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Wu
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Jakub Warmuz