Re: [Acme] Content-Type and file extensions for HTTP01 challenges
Richard Barnes <rlb@ipv.sx> Fri, 13 November 2015 00:55 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFD811B3B6B for <acme@ietfa.amsl.com>; Thu, 12 Nov 2015 16:55:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aDmB9UDfIusq for <acme@ietfa.amsl.com>; Thu, 12 Nov 2015 16:55:27 -0800 (PST)
Received: from mail-yk0-x22a.google.com (mail-yk0-x22a.google.com [IPv6:2607:f8b0:4002:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 474AD1B3B6A for <acme@ietf.org>; Thu, 12 Nov 2015 16:55:27 -0800 (PST)
Received: by ykdv3 with SMTP id v3so123122016ykd.0 for <acme@ietf.org>; Thu, 12 Nov 2015 16:55:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv_sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YE6Ag9LcOPpL5A30GJDBqaa1VbRGkS1MyaA8n7u3KMg=; b=J5yTnhDlUVdcoXyUCMI/AMHZCg5h0vL/fBsunkOznTUuqQVoZ4dIz+mEF4EtTgbM55 wivlNbuTvM3YbLSFtQb/BpxaUG7tYpdEDOINMRNQXZYadv4W6bwNXMeC9v4pNSyFuuMK aa2cu19IjO9M5P2KpTI6gv00zz/xmqzR8iib9eaxP4BbJwqpy1GN1+ghoNP+Z0/C38/9 BZEj5oHlis4iefUfmeV9+2j7QUtweTN1INqqpD5Rt5MxM/IuwDGLF9Vg4WPp4ZJO61vl 36bcamzrtw72REURzuyNj8lke3u9+MP1AYTymlWhKIi45aDmiTSqab4CN69z8L2Z35Sy ZH4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=YE6Ag9LcOPpL5A30GJDBqaa1VbRGkS1MyaA8n7u3KMg=; b=JbgTyoRGVSt/zPiIQRJJsqyi6OL0VunJOUr+Q/9oQxhH+30QOdqyntiuM/KGdmBy2O IvT72egfuPnoRdGGnskJyAcCs533Om7O8Cod8w8zqqzuCgvwb9WIV1SPwtHXWDFTnzxg oKDDn7xY2U4H8WfunNCec0KifGFjC25wInjR4kMlBoSiPPVUikSOSPTnCY6PVnOXShgz ykGn7LlOTdD+uqW4SW7QqI7ed9eSqcEBzksVcvjdwfGVjP4gLE7cNEC72SI/iHB/nkmh o3HNR25XAZhDa182/Xz26ESlJVsLPz2Ea7yT4TIyVRG5w04cSVZ8/k8RWHDF/WVpeso9 rmJg==
X-Gm-Message-State: ALoCoQn5eMLJGna9B4dv4J6pWzYGdSCVPB4aF4duvhybRhTl1rvf5IQVMymSNJWUxT0V7mFfIuRG
MIME-Version: 1.0
X-Received: by 10.13.194.193 with SMTP id e184mr11763136ywd.203.1447376126549; Thu, 12 Nov 2015 16:55:26 -0800 (PST)
Received: by 10.31.58.14 with HTTP; Thu, 12 Nov 2015 16:55:26 -0800 (PST)
In-Reply-To: <20151113004436.GB18430@eff.org>
References: <20151113004436.GB18430@eff.org>
Date: Thu, 12 Nov 2015 19:55:26 -0500
Message-ID: <CAL02cgS=7T61D7MedjKT-ePftAj==F8kdbMd=b0ODeNV5z=gUg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Peter Eckersley <pde@eff.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/E8O7OtlvWtnVln2E7NPP2dSY0jQ>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Content-Type and file extensions for HTTP01 challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2015 00:55:28 -0000
Sorry if I pulled the trigger on that one a bit early. Happy to revise, as always. I think there was pretty feeling in the room at the IETF meeting that Content-Type checking was not doing much. Are we aware of any actual scenarios where untrusted entities can write to .well-known directories? Because my base inclination is to encourage web admins to protect against file dropping attacks by, well, not allowing users to drop files in arbitrary locations. --Richard On Thu, Nov 12, 2015 at 7:44 PM, Peter Eckersley <pde@eff.org> wrote: > https://github.com/ietf-wg-acme/acme/pull/40 was just merged, but we > didn't actually get consensus that dropping Content-Type restrictions > altogether was a good idea. > > The options are: > > 0.keep the old spec (Content-Type application/jose+json, no file > extensions allowed) > > 1 keep the application/jose+json Content-Type requirement, add or allow > a .jose file extension in the challenge > > 2 switch to text/plain but add or allow a .txt file extension > > 3 drop all Content-Type requirements (PR #40) > > 4 leave the matter totally up to the CA (it can tell the client if > there's a Content-Type requirement, and if so what it is) > > I believe the purpose of the Content-Type requirement was to mitigate > against file-dropping attacks in web applications. Everyone agrees that > option 0 is a bad spot on the security/usability tradeoff. But is 3 the > best answer? Can we keep some anti-file-dropping protection without > making manual authentication a pain? Or are the two inherently the same > thing? > > > -- > Peter Eckersley pde@eff.org > Chief Computer Scientist Tel +1 415 436 9333 x131 > Electronic Frontier Foundation Fax +1 415 436 9993 > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- [Acme] Content-Type and file extensions for HTTP0… Peter Eckersley
- Re: [Acme] Content-Type and file extensions for H… Richard Barnes
- Re: [Acme] Content-Type and file extensions for H… Bryan Livingston
- Re: [Acme] Content-Type and file extensions for H… Richard Barnes
- Re: [Acme] Content-Type and file extensions for H… Martin Thomson
- Re: [Acme] Content-Type and file extensions for H… Peter Eckersley
- Re: [Acme] Content-Type and file extensions for H… Niklas Keller
- Re: [Acme] Content-Type and file extensions for H… Richard Barnes
- Re: [Acme] Content-Type and file extensions for H… Bryan Livingston
- Re: [Acme] Content-Type and file extensions for H… Niklas Keller
- Re: [Acme] Content-Type and file extensions for H… Russ Housley
- Re: [Acme] Content-Type and file extensions for H… Bryan Livingston
- Re: [Acme] Content-Type and file extensions for H… Salz, Rich
- Re: [Acme] Content-Type and file extensions for H… Warren Kumari
- Re: [Acme] Content-Type and file extensions for H… Niklas Keller
- Re: [Acme] Content-Type and file extensions for H… Peter Eckersley
- Re: [Acme] Content-Type and file extensions for H… Niklas Keller
- Re: [Acme] Content-Type and file extensions for H… Bryan Livingston
- Re: [Acme] Content-Type and file extensions for H… Ted Hardie
- Re: [Acme] Content-Type and file extensions for H… Niklas Keller
- Re: [Acme] Content-Type and file extensions for H… Martin Thomson
- Re: [Acme] Content-Type and file extensions for H… Bryan Livingston
- Re: [Acme] Content-Type and file extensions for H… Niklas Keller
- Re: [Acme] Content-Type and file extensions for H… Bryan Livingston
- Re: [Acme] Content-Type and file extensions for H… Niklas Keller
- Re: [Acme] Content-Type and file extensions for H… Salz, Rich
- Re: [Acme] Content-Type and file extensions for H… Niklas Keller
- Re: [Acme] Content-Type and file extensions for H… Salz, Rich
- Re: [Acme] Content-Type and file extensions for H… Bryan Livingston