IETF Logo Mail Archive

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

Niklas Keller <me@kelunik.com> Fri, 13 November 2015 07:28 UTC

Return-Path: <me@kelunik.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8E471B4194 for <acme@ietfa.amsl.com>; Thu, 12 Nov 2015 23:28:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.027
X-Spam-Level:
X-Spam-Status: No, score=-1.027 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sswZUZTvTfOj for <acme@ietfa.amsl.com>; Thu, 12 Nov 2015 23:28:56 -0800 (PST)
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72E2F1B4190 for <acme@ietf.org>; Thu, 12 Nov 2015 23:28:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1447399733; l=4776; s=domk; d=kelunik.com; h=Content-Type:Cc:To:From:Subject:Date:References:In-Reply-To: MIME-Version; bh=nUGYaA4sdCVic0ZO9jlIfuFjAOMh5+BflIpaZHn+UEs=; b=FdWaBT3vxgUAAT6U1q8rIQqbmiZRPccn/aRPEivE8wOzz9uA/LgyrMTIMvQLTkfX+kE wxe8jrUqbvDamu/kWeoDOsmG3l5/mzoEB7+HXH2HnKOuQ03c46o/LtC1QvBcfXx3lx2Om APkY/UZjJhWa6ykG3xVz5/gH1Eve/5xbfJE=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtOnM6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f50.google.com ([74.125.82.50]) by smtp.strato.de (RZmta 37.14 AUTH) with ESMTPSA id d05262rAD7SrlSY (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for <acme@ietf.org>; Fri, 13 Nov 2015 08:28:53 +0100 (CET)
Received: by wmvv187 with SMTP id v187so67800787wmv.1 for <acme@ietf.org>; Thu, 12 Nov 2015 23:28:53 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.28.72.136 with SMTP id v130mr1883803wma.60.1447399733073; Thu, 12 Nov 2015 23:28:53 -0800 (PST)
Received: by 10.194.2.171 with HTTP; Thu, 12 Nov 2015 23:28:53 -0800 (PST)
In-Reply-To: <20151113011259.GC18430@eff.org>
References: <20151113004436.GB18430@eff.org> <CABkgnnU5EzaPA4o7OgnTBpSQCZxjD+QsSV=4_L2rOBeFAoauKA@mail.gmail.com> <20151113011259.GC18430@eff.org>
Date: Fri, 13 Nov 2015 08:28:53 +0100
X-Gmail-Original-Message-ID: <CANUQDCg6xK3esWSWbM3j8p+ywDBrVa+_4bofHtymsYf0SPeFbw@mail.gmail.com>
Message-ID: <CANUQDCg6xK3esWSWbM3j8p+ywDBrVa+_4bofHtymsYf0SPeFbw@mail.gmail.com>
From: Niklas Keller <me@kelunik.com>
To: Peter Eckersley <pde@eff.org>
Content-Type: multipart/alternative; boundary="001a114b32b6f023ac052467024a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/4esxXhCb-VgV2EwXYieX3mhvdko>
Cc: "acme@ietf.org" <acme@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: [Acme] Content-Type and file extensions for HTTP01 challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2015 07:28:59 -0000

Once we add an extension, there will be default mime types in server
implementations for it for any webroot file. Where's the gain then? A
dropped file will just use the configured type. If you want to keep the
protection, we'll have to check the content type but don't allow an
extension, which would be bad for some servers to configure as others
pointed out, mainly IIS.

Regards, Niklas

2015-11-13 2:12 GMT+01:00 Peter Eckersley <pde@eff.org>:

> I should have added another option, 3b, drop the Content-Type
> restriction but allow file extensions.
>
> Sounds like that would be a win on IIS.
>
> On Thu, Nov 12, 2015 at 05:05:53PM -0800, Martin Thomson wrote:
> > On 12 November 2015 at 16:44, Peter Eckersley <pde@eff.org> wrote:
> > > But is 3 the best answer?
> >
> > Of those presented, I think so.  I know that this isn't a great answer
> > (it's bad already, so bad must be OK), but being able to drop things
> > into .well-known opens a raft of other interesting attacks.
> >
> > More seriously, I think that the other options all have deployment
> > complications that far outweigh the marginal benefit that extra
> > checking might provide.
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
> >
>
> --
> Peter Eckersley                            pde@eff.org
> Chief Computer Scientist          Tel  +1 415 436 9333 x131
> Electronic Frontier Foundation    Fax  +1 415 436 9993
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email