Re: [Acme] Stronger protection against HTTPS MITM
Richard Barnes <rlb@ipv.sx> Mon, 26 January 2015 10:33 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD2A81A88A9 for <acme@ietfa.amsl.com>; Mon, 26 Jan 2015 02:33:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level:
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0QfCuQYWQuI for <acme@ietfa.amsl.com>; Mon, 26 Jan 2015 02:33:13 -0800 (PST)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD93C1A8897 for <acme@ietf.org>; Mon, 26 Jan 2015 02:33:12 -0800 (PST)
Received: by mail-lb0-f172.google.com with SMTP id l4so6844347lbv.3 for <acme@ietf.org>; Mon, 26 Jan 2015 02:33:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/F2p6cjQwMRsHGOjzHJdBQq/E5RncuYs5jU6puxChjU=; b=hWjNFCvOuv/Bd4nep2z+oUH8pp39+ZysFK5TdZl5vn2k+JrhRoHfG6AxfSsM44wpvF 4I7w12luZxZPfPSBQmEI0ad4OhIs/WXjHCKIia9pLyFuBj+Nn5hKz96DltgaJ7eE2wls fCDEzJYZKG+wi6b4FwRrk2JRGn99cLFi2FsigY72NW1c5GZJuM6a12t5e2louhUjIron uD6YFxeEQScYutZAquNhPhcXVCt9saNuOtZq5R675PDoS6p0txmQUxxpKiuwH5vvvgGs fav4bayo8WftkFBfMl6pc901UfgcBXIUmFbDc599jtjp1VW8iMMgkgBikYL6CRLsqTDc /wyg==
X-Gm-Message-State: ALoCoQlbVsV4nhLEDZoPwtkDBYZrRMBAMhNpVEqQ3USoddC/0YEr/FWlfuC33nyCAvalLQRLWzWR
MIME-Version: 1.0
X-Received: by 10.152.170.194 with SMTP id ao2mr20779115lac.12.1422268391227; Mon, 26 Jan 2015 02:33:11 -0800 (PST)
Received: by 10.25.201.86 with HTTP; Mon, 26 Jan 2015 02:33:11 -0800 (PST)
In-Reply-To: <54C4B086.5080005@o2.pl>
References: <54C4B086.5080005@o2.pl>
Date: Mon, 26 Jan 2015 05:33:11 -0500
Message-ID: <CAL02cgTgRGK6Nk958zvWmDCw9ZnyvGRdx9q4hzVWd_fjNLx5Xg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mateusz Jończyk <mat.jonczyk@o2.pl>
Content-Type: multipart/alternative; boundary="089e011615f23c16e6050d8baa9c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/AXMKEH-vdK-sGj-RX-Z4i79WhkI>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Stronger protection against HTTPS MITM
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jan 2015 10:33:14 -0000
Hey Mateusz, Thanks a lot for suggesting this. This sounds like a great idea to me. Please feel free to file an issue on the Github spec -- or send a pull request! The only exception that occurs to me is the recoveryToken / recoveryContact challenge types. The recoveryToken challenge is done in-band to ACME, so it's already signed with the account key pair. For recoveryChallenge, I guess you could bind in the key pair, but given that it's intended to be more human-facing, that seems counterproductive. --Richard On Sun, Jan 25, 2015 at 3:59 AM, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote: > Hello, > Suppose that Bob (admin of www.example.com) wants to get a signed > certificate > for that domain and Eve (from NSA) is trying to get that certificate too. > Eve > can also somehow do HTTPS MITM en route from Bob's computer to the ACME > server > (I will ignore here the possibility of HTTPS MITM en route from the ACME > server > to Bob's server). To make it more realistic [1], let's also suppose that > Bob has > received a signed certificate for www.example.com in the past so that the > validation process involves PoP of previous key / recovery token. > > In that case and with current ACME spec [2], Eve can AFAIK get a separate > signed > certificate without any knowledge of Bob (unless he has access to reliable > public cert issuance records and inspects them). To do this, she could pass > through all validation challenges while substituting her own (independently > generated) public key. The ACME server will then happily validate Eve for > www.example.com and sign her key. > > Then, after Eve got her certificate, she could send some error message to > Bob, > such as "The server is overloaded. Please try again in 5 minutes". To make > it > more realistic, she may send a defer message with a long timeout to Bob > before > that. Bob (or even an automatic script) will then ask for the signature > again > and get it unobstructed. > > To block such an attack, all challenge responses should depend somehow on > the > public and/or private keys of Bob. For example, in the "simpleHttps" > method, the > value provisioned in the file should be signed with Bob's private key. > Alternatively, some time delay between two certificate issuances for > www.example.com could be enforced (e.g. 24 hours). If Bob would have to > wait > that long, he would have begun to wonder what was going on. > > Also, the Recovery Token that is sent from the ACME server should be > encrypted > with Bob's private key so that Eve could not use it later to get a > separate cert. > > > Greetings, > Mateusz > > > [1] Because otherwise almost any Eve that could do MITM can also redirect > all > trafic from ACME server to www.example.com and get a cert that way. > > [2] I meant last version of > https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] Stronger protection against HTTPS MITM Mateusz Jończyk
- Re: [Acme] Stronger protection against HTTPS MITM Richard Barnes
- Re: [Acme] Stronger protection against HTTPS MITM Mateusz Jończyk
- Re: [Acme] Stronger protection against HTTPS MITM Phillip Hallam-Baker
- Re: [Acme] Stronger protection against HTTPS MITM Anders Rundgren
- Re: [Acme] Stronger protection against HTTPS MITM Mateusz Jończyk