IETF Logo Mail Archive

Re: [Acme] Fixing the TLS-SNI challenge type

"Matthew D. Hardeman" <mhardeman@ipifony.com> Fri, 12 January 2018 16:22 UTC

Return-Path: <mhardeman@ipifony.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BC7012E897 for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 08:22:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgvS-U0h63NN for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 08:21:59 -0800 (PST)
Received: from mail.ipifony.com (mail.ipifony.com [199.71.210.39]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EFED12D943 for <acme@ietf.org>; Fri, 12 Jan 2018 08:21:59 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.ipifony.com (Postfix) with ESMTP id 114CAB40911; Fri, 12 Jan 2018 10:21:59 -0600 (CST)
X-Virus-Scanned: amavisd-new at ipifony.com
Received: from mail.ipifony.com ([127.0.0.1]) by localhost (mail.ipifony.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GX-qJjnQjWDj; Fri, 12 Jan 2018 10:21:57 -0600 (CST)
Received: from [10.47.52.51] (68-117-162-146.dhcp.unas.al.charter.com [68.117.162.146]) by mail.ipifony.com (Postfix) with ESMTPSA id BEA18B408C7; Fri, 12 Jan 2018 10:21:57 -0600 (CST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: "Matthew D. Hardeman" <mhardeman@ipifony.com>
In-Reply-To: <4E14EA18-C7C3-47B4-AEE5-3FFD3EE3524A@ipifony.com>
Date: Fri, 12 Jan 2018 10:21:57 -0600
Cc: Jonathan Rudenberg <jonathan@titanous.com>, IETF ACME <acme@ietf.org>, Roland Bracewell Shoemaker <roland@letsencrypt.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <98F2C356-3ED5-47D2-8252-65A36E095D44@ipifony.com>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com> <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org> <a506c023-ff44-7f14-71b1-94e4e810cd12@letsencrypt.org> <0603b570-f790-88a7-5514-b324eff4f087@figel.email> <4E14EA18-C7C3-47B4-AEE5-3FFD3EE3524A@ipifony.com>
To: Patrick Figel <patrick@figel.email>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7Rvxk3-SpnyQm3oeUG3zQYBWmXs>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 16:22:03 -0000

So the original source of the TLS-SNI-01 in-the-field vulnerability that caused Let’s Encrypt to disable TLS-SNI-01 has just openly published details of the exploit he demonstrated:

https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/

In this case, he used AWS CloudFront and Heroku to achieve the issue.

And it pertains to a TLS load balancer being programmatically bound to whatever newly unique to the platform name they want.  Just like the threat I had mentioned.

Now, imagine if there was a web host configured like AWS CloudFront and/or Heroku.  Then imagine that they’re sleazier, less well funded, and looking for quick resolution to a new customer complaint…

Customer complaint: My code used to be able to do X,Y,Z and achieve TLS-SNI-01 validation.  Now, because your TLS balancer doesn’t send this “acme” ALPN signal, I can’t anymore.  Fix it!

The cheap quick fix to this — the one that makes the customer’s complaint go away while spending the least time and money possible — is to just patch in a fake echo of the “acme” ALPN signal.

Note: this is fully resolved if the TLS SNI name in the protocol is changed to specify that it must be the actual domain label being validated.  But if you don’t require that, you’ll create an opportunity for the web host to most expeditiously return to the prior status quo by making a minimal fake “acme” ALPN tag.

> On Jan 12, 2018, at 10:04 AM, Matthew D. Hardeman <mhardeman@ipifony.com> wrote:
> 
> Breaking that on purpose is actually why I most believe that the SNI should be required to reflect the exact SNI of the domain label being validated.
> 
> The threat model I was concerned about evaporates if the SNI is the actual domain label and the decisioning of which TLS certificate to present to the validator versus the normal far-end browser or other endpoint is then dependent on the combination of the ALPN marker AND the SNI.
> 
> (i.e. use most recent real certificate/key for connection with real endpoints indicating SNI of the real domain label, but use the validation certificate/key when the real SNI + “acme” ALPN  tag is received.)
> 
> Imagine that the HAProxy you describe is run not by the website administrator, but by the shared hosting provider.  Imagine that their infrastructure was vulnerable to the TLS-SNI-01 and -02 problems because their outside facing HAProxy matched SNI of any number of customer configured unique labels with customer provided certificates…
> 
> If you keep letting that model be manipulated by customers of the hosting provider, and keep the SNI as the .acme.invalid pattern, the path of least resistance to return the web hosts’s prior level of function is simply to create a fake “acme” ALPN signal and proceed with old behavior.  That’s a danger.
> 
> The concerns I raised would more or less be fully resolved by standardizing on having the SNI label be required to be the domain label being validated and then the TLS termination endpoint on the server side has to look to the “acme” ALPN tag to know to switch to presenting the validation challenge-response cerfificate/keypair.
> 
>> On Jan 12, 2018, at 9:29 AM, Patrick Figel <patrick@figel.email> wrote:
>> 
>> On 12.01.18 04:06, Roland Bracewell Shoemaker wrote:
>>> I'm actually going to roll back my thoughts on the SNI value. Thinking
>>> about this more I think it does actually make sense to revert to using
>>> the actual host name here.
>>> 
>>> In the initial design of the TLS-SNI challenge the XXX.acme.invalid
>>> value was used as a way to allow servers to dynamically serve both
>>> regular and validation traffic. Since we would be using ALPN here we no
>>> longer need a special SNI value in order to differentiate validation
>>> traffic from regular traffic so this token value is no longer needed.
>> 
>> One minor advantage of keeping the current acme.invalid scheme is that
>> it allows people to use SNI-based routing. Web servers like HAProxy
>> allow you to proxy requests (on the TCP layer) based on the SNI value,
>> so you could match "*.acme.invalid" and forward it to a validation
>> server that supports the new challenge and the ALPN ACME protocol, even
>> if the web server itself doesn't. If we use the "real" identifier for
>> SNI, we'd limit that option to web servers that natively support the
>> ALPN value for ACME and can route based on it.
>> 
>> Not sure how common this kind of setup is, if it's just a small subset
>> of HAProxy deployments it'd probably not have much of an impact.
>> 
>> Patrick
>> 
>> [1]:
>> https://www.cloudoptimizedsmb.com/articles/20160409-00/using-haproxy-to-split-letsencrypt-acme-challenges-from-regular-traffic
>> 
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email