[Acme] ACME vulnerabilities in SimpleHTTP and DVSNI due to common webservers' default virtual host semantics

Peter Eckersley <pde@eff.org> Tue, 22 September 2015 21:53 UTC

Return-Path: <pde@mail2.eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FF511A8AE9 for <acme@ietfa.amsl.com>; Tue, 22 Sep 2015 14:53:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.312
X-Spam-Level:
X-Spam-Status: No, score=-4.312 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mD7Wvlw7RR8j for <acme@ietfa.amsl.com>; Tue, 22 Sep 2015 14:52:58 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2CF61A8AEF for <acme@ietf.org>; Tue, 22 Sep 2015 14:52:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date; bh=HwBn2r7ahzTGuftw48OnP3BXvrCuC9fETagTEkUSA10=; b=EILJYm3+UADdb4d0TMQlBYLttvDIexnRSWN9hffVgBxxR1Vl2okQCHTkOQxddpNhsOVeqX3KOmKNA8xOoAwqlZKfzfX+FFkrn1GniJNeonftXQVoY5H9L7XiW7zg6UE4nw0k84hD7eyyuj7QK5pHo/zOxFOiO4KrqGJeyze8Oy8=;
Received: ; Tue, 22 Sep 2015 14:52:58 -0700
Date: Tue, 22 Sep 2015 14:52:58 -0700
From: Peter Eckersley <pde@eff.org>
To: "acme@ietf.org" <acme@ietf.org>
Message-ID: <20150922215258.GJ17243@eff.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/B9vhPSMm9tcNoPrTE_LNhnt0d8U>
Subject: [Acme] ACME vulnerabilities in SimpleHTTP and DVSNI due to common webservers' default virtual host semantics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2015 21:53:00 -0000

Apache (and I gather nginx too) have the subtle and non-intuitive
behaviour that if a default TLS/HTTPS virtual host is not configured
explicitly, one will be selected based on the ordering of vhosts in the
webserver configuration (in practice, this often amounts to alphabetical
ordering of files in a configuration directory).

https://serverfault.com/questions/458106/apache2-default-vhost-in-alphabetical-order-or-override-with-default-vhost
https://serverfault.com/a/180956

This creates a vulnerability for SimpleHTTP and DVSNI in any
multiple-tenant virtual hosting environment that failed to explicitly
select a default vhost [1].  The vulnerability allows one tenant
(typically one with the alphabetically lowest domain name -- a situation
that may be easy for an attacker to arrange) to obtain certificates for
other tenants.  The exact conditions for the vulerability vary:

 - SimpleHTTP is vulnerable if no default vhost is set explicitly, the
   server accepts the "tls": true parameter as currently specified, and
   the domains served over TLS/HTTPS are a strict subset of those served over
   HTTP.

 - DVSNI is vulnerable if no default vhost is set explicitly, and the
   hosting environment provides a way for tenants to upload arbitrary
   certificates to be served on their vhost.

James Kasten and Alex Halderman have done great work proposing a fix for
DVSNI:

https://github.com/letsencrypt/acme-spec/compare/sig-reuse...pde:dvsni-default-vhost-fix

That fix also has some significant performance benefits on systems with
many virtual hosts, and the resulting challenge type should perhaps be
called DVSNI2.

The simplest fix for SimpleHTTP is to remove the "tls" option from
the client's SimpleHTTP response, and require that the challenge be
completed on port 80.  

https://github.com/pde/acme-spec/commit/2bf0488b9d6386b0d8ee34edfe8ba5829de0d9fa

Alternatively, the protocol could allow the server to specify which
ports it will perform SimpleHTTP and SimpleHTTPS requests on; HTTPS on
port 443 SHOULD be avoided unless the CA can confirm that the server has
an explicitly configured default vhost.

The above diffs are currently against Let's Encrypt's version of the
ACME spec, we'll be happy to rebase them against the IETF version upon
request.

[1] though I haven't confirmed it, it's possible that sites that
attempted to set a default vhost are vulernable if they followed advice
like this when doing so: https://serverfault.com/a/458181 ; an attacker
need only sign up with a lexicographically lower name on that hosting
platform to obtain control of the default.

-- 
Peter Eckersley                            pde@eff.org
Chief Computer Scientist          Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993