IETF Logo Mail Archive

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

Richard Barnes <rlb@ipv.sx> Fri, 13 November 2015 00:55 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFD811B3B6B for <acme@ietfa.amsl.com>; Thu, 12 Nov 2015 16:55:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aDmB9UDfIusq for <acme@ietfa.amsl.com>; Thu, 12 Nov 2015 16:55:27 -0800 (PST)
Received: from mail-yk0-x22a.google.com (mail-yk0-x22a.google.com [IPv6:2607:f8b0:4002:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 474AD1B3B6A for <acme@ietf.org>; Thu, 12 Nov 2015 16:55:27 -0800 (PST)
Received: by ykdv3 with SMTP id v3so123122016ykd.0 for <acme@ietf.org>; Thu, 12 Nov 2015 16:55:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv_sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YE6Ag9LcOPpL5A30GJDBqaa1VbRGkS1MyaA8n7u3KMg=; b=J5yTnhDlUVdcoXyUCMI/AMHZCg5h0vL/fBsunkOznTUuqQVoZ4dIz+mEF4EtTgbM55 wivlNbuTvM3YbLSFtQb/BpxaUG7tYpdEDOINMRNQXZYadv4W6bwNXMeC9v4pNSyFuuMK aa2cu19IjO9M5P2KpTI6gv00zz/xmqzR8iib9eaxP4BbJwqpy1GN1+ghoNP+Z0/C38/9 BZEj5oHlis4iefUfmeV9+2j7QUtweTN1INqqpD5Rt5MxM/IuwDGLF9Vg4WPp4ZJO61vl 36bcamzrtw72REURzuyNj8lke3u9+MP1AYTymlWhKIi45aDmiTSqab4CN69z8L2Z35Sy ZH4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=YE6Ag9LcOPpL5A30GJDBqaa1VbRGkS1MyaA8n7u3KMg=; b=JbgTyoRGVSt/zPiIQRJJsqyi6OL0VunJOUr+Q/9oQxhH+30QOdqyntiuM/KGdmBy2O IvT72egfuPnoRdGGnskJyAcCs533Om7O8Cod8w8zqqzuCgvwb9WIV1SPwtHXWDFTnzxg oKDDn7xY2U4H8WfunNCec0KifGFjC25wInjR4kMlBoSiPPVUikSOSPTnCY6PVnOXShgz ykGn7LlOTdD+uqW4SW7QqI7ed9eSqcEBzksVcvjdwfGVjP4gLE7cNEC72SI/iHB/nkmh o3HNR25XAZhDa182/Xz26ESlJVsLPz2Ea7yT4TIyVRG5w04cSVZ8/k8RWHDF/WVpeso9 rmJg==
X-Gm-Message-State: ALoCoQn5eMLJGna9B4dv4J6pWzYGdSCVPB4aF4duvhybRhTl1rvf5IQVMymSNJWUxT0V7mFfIuRG
MIME-Version: 1.0
X-Received: by 10.13.194.193 with SMTP id e184mr11763136ywd.203.1447376126549; Thu, 12 Nov 2015 16:55:26 -0800 (PST)
Received: by 10.31.58.14 with HTTP; Thu, 12 Nov 2015 16:55:26 -0800 (PST)
In-Reply-To: <20151113004436.GB18430@eff.org>
References: <20151113004436.GB18430@eff.org>
Date: Thu, 12 Nov 2015 19:55:26 -0500
Message-ID: <CAL02cgS=7T61D7MedjKT-ePftAj==F8kdbMd=b0ODeNV5z=gUg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Peter Eckersley <pde@eff.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/E8O7OtlvWtnVln2E7NPP2dSY0jQ>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Content-Type and file extensions for HTTP01 challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2015 00:55:28 -0000

Sorry if I pulled the trigger on that one a bit early.  Happy to
revise, as always.

I think there was pretty feeling in the room at the IETF meeting that
Content-Type checking was not doing much.  Are we aware of any actual
scenarios where untrusted entities can write to .well-known
directories?  Because my base inclination is to encourage web admins
to protect against file dropping attacks by, well, not allowing users
to drop files in arbitrary locations.

--Richard

On Thu, Nov 12, 2015 at 7:44 PM, Peter Eckersley <pde@eff.org> wrote:
> https://github.com/ietf-wg-acme/acme/pull/40 was just merged, but we
> didn't actually get consensus that dropping Content-Type restrictions
> altogether was a good idea.
>
> The options are:
>
>  0.keep the old spec (Content-Type application/jose+json, no file
>    extensions allowed)
>
>  1 keep the application/jose+json Content-Type requirement, add or allow
>    a .jose file extension in the challenge
>
>  2 switch to text/plain but add or allow a .txt file extension
>
>  3 drop all Content-Type requirements (PR #40)
>
>  4 leave the matter totally up to the CA (it can tell the client if
>    there's a Content-Type requirement, and if so what it is)
>
> I believe the purpose of the Content-Type requirement was to mitigate
> against file-dropping attacks in web applications.  Everyone agrees that
> option 0 is a bad spot on the security/usability tradeoff.  But is 3 the
> best answer?  Can we keep some anti-file-dropping protection without
> making manual authentication a pain?  Or are the two inherently the same
> thing?
>
>
> --
> Peter Eckersley                            pde@eff.org
> Chief Computer Scientist          Tel  +1 415 436 9333 x131
> Electronic Frontier Foundation    Fax  +1 415 436 9993
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email