Re: [Acme] ACME vulnerabilities in SimpleHTTP due to common webservers' default virtual host semantics
Peter Wu <peter@lekensteyn.nl> Fri, 08 January 2016 17:27 UTC
Return-Path: <peter@lekensteyn.nl>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B6821B2A81 for <acme@ietfa.amsl.com>; Fri, 8 Jan 2016 09:27:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.983
X-Spam-Level: *
X-Spam-Status: No, score=1.983 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjjDPxVdrmIo for <acme@ietfa.amsl.com>; Fri, 8 Jan 2016 09:27:32 -0800 (PST)
Received: from mail.lekensteyn.nl (mail.lekensteyn.nl [IPv6:2a02:2308::360:1:25]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE2171B2A62 for <acme@ietf.org>; Fri, 8 Jan 2016 09:27:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lekensteyn.nl; s=s2048-2015-q1; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=zNctwuVC5Q41P2Ye+o2Nw2W6udxMsEBZ07H9vhmHidQ=; b=nT8fAQXF/5kCr6GfvADZq75NetfIJtrLes7tXWKZ7TQ8VpkRKmoa3O94Jq9dYuPGqF41yES4i1bvRv+KNNTWBt+M5YndeFOkbeOQmqmxWiRNzOwG2oqKu8VCSmvWlNDnniuIdVucTLC07FtUKxACY1zSqFzB48ydsllpFMk3KqoLzLzVixU3T+A6bYcCO+vk46uTSE8l6X9fsVgz3xtcSNPGR9GJspToJ+kguGrQZIn2x9NuiSvEpf4QQM5Yh0s3aWMMBIrzCyWRS1oTPCqhZtTu1XiQEdMABKPjYXIDwayn18WdGnPUe2ROC24Z+mvs0Q09/7u9mBYgCKiA8Blw2Q==;
Received: by lekensteyn.nl with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84) (envelope-from <peter@lekensteyn.nl>) id 1aHaoh-00060e-0f; Fri, 08 Jan 2016 18:27:26 +0100
Date: Fri, 08 Jan 2016 18:27:09 +0100
From: Peter Wu <peter@lekensteyn.nl>
To: Niklas Keller <me@kelunik.com>, Peter Eckersley <pde@eff.org>
Message-ID: <20160108172709.GA29864@al>
References: <CANUQDCjc2pyD19pC+8F4dhommuaOtf=JpJWOYAh6He3RNK8+Xg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CANUQDCjc2pyD19pC+8F4dhommuaOtf=JpJWOYAh6He3RNK8+Xg@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/8KMmJV6n7iPmYtn3MiPa1cMksIg>
Cc: acme@ietf.org
Subject: Re: [Acme] ACME vulnerabilities in SimpleHTTP due to common webservers' default virtual host semantics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2016 17:31:54 -0000
Hi Niklas, Peter and others, (First time poster here, grabbed this mail from the archives. Explanation of the "vulnerability" is first given, followed by a discussion.) On Fri, Nov 13, 2015 at 04:35:00PM +0100, Niklas Keller wrote: > This is a followup on "ACME vulnerabilities in SimpleHTTP and DVSNI due to > common webservers' default virtual host semantics", since I don't have that > mail in my archive (was not subscribed to the list back then), I can't > respond directly to that thread. (Stupid mailing lists.) With a sane mail client, you can set the In-Reply-To header to the Message-Id which can be found by clicking the "Show header" link in messages at https://mailarchive.ietf.org/arch/search/?email_list=acme For future reference, the thread starts at https://mailarchive.ietf.org/arch/msg/acme/B9vhPSMm9tcNoPrTE_LNhnt0d8U (it is worth reading the full thread as it is not that large). > Could someone explain the exact vulnerability? Since those challenge > payloads are bound to a specific domain, I don't see the problem. > Additionally, I don't see why it's a problem with HTTPS, why is it > mitigated by switching to HTTP? HTTP via port 80 has just the same > semantics for default hosts as HTTPS via 443 has. This vulnerability (as I understand) works as follows: 0. example.com and example.net are owned by two different entities, hosted on the same webserver (shared webhosting). 1. example.com happens to be the first site on the vhost with a valid certificate configured. 2. example.net is another customer on the server which has not yet configured HTTPS. Due to a configuration error, requests to a non-existing vhost now end up at the first (default) vhost, namely example.com. 3. Now example.com can obtain a certificate for example.net (which might not be authorized for that). This is "mitigated" by switching to HTTP because webhosting providers presumably make websites available over http while https is an additional feature. Shared webhosters who serve sites over just https *and* happen to have a misconfigured server such that plain http vhosts are handled incorrectly are probably not common. This vulnerability is purely a configuration issue. For example, nginx can be configured with a catch-all SSL vhost: server { listen *:443 ssl default_server; ssl_certificate dummy.crt; ssl_certificate dummy.key; return "No vhost configured"; } Apache HTTPd can also be configured to address the problem: https://httpd.apache.org/docs/2.4/vhosts/examples.html#default Peter (Eckersley), you reported this concern with the premise that it is a common configuration mistake that impacts many hosting providers. Do you have scans backing up that concern? Websites that are managed by a single entity (i.e. not shared hosting providers) with this configuration "mistake' are not a problem. The restriction in the specification has an unfortunate consequence: sites which are only accessible over port 443/HTTPS (because other ports are blocked / not forwarded in a NAT network) can no longer be validated. -- Kind regards, Peter Wu https://lekensteyn.nl
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Wu
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Niklas Keller
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Eckersley
- [Acme] ACME vulnerabilities in SimpleHTTP due to … Niklas Keller
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Niklas Keller
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Wu
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Jakub Warmuz