IETF Logo Mail Archive

Re: [Acme] Fixing the TLS-SNI challenge type

Jonathan Rudenberg <jonathan@titanous.com> Fri, 12 January 2018 14:26 UTC

Return-Path: <jonathan@titanous.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0216912E891 for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 06:26:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=titanous.com header.b=4EsnEuWx; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=AlC8i2jN
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JH4P27dI9M8f for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 06:26:03 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9645812E88F for <acme@ietf.org>; Fri, 12 Jan 2018 06:26:03 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D30E820D98; Fri, 12 Jan 2018 09:26:02 -0500 (EST)
Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Fri, 12 Jan 2018 09:26:02 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=titanous.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=joBLAcOElexBpziS+SImlHZit1IAV WZBYZ24oO16sbE=; b=4EsnEuWx39lyRWJiNFB16acG5RoHctORirJu/X/49d6M3 Vr81qhBRznscKd0PZN+p0ftKeG5bLYzZTuNirl1iLUcjN8/v7X4ESI4Ch56QwerP yiqQ8CuZI604ZaRIYkoJ9l+llcntnMVj8hpdDBKSvadf+4mKdIs1cBzdcJPS+6On YrWLUAbhwDA7e3YfemWZKIIgaRb5wIfOxDlUJd+mbCdOtVzxDCqJ0oIf9EDGdmi0 aA1jL2ygl+qpYWgdGct0wKIjbZVINEnU5nVzxNjwkCiAsKayOGuwc8sawtz5Cp0o nvFT0XdQbSCtVaiWODO2Mv/DzpZKa2Q0R0Q8HMAHw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=joBLAc OElexBpziS+SImlHZit1IAVWZBYZ24oO16sbE=; b=AlC8i2jNqzRg2WRy+mNm0x twyrcAfkpd+cUNnh8/ZKnPEFXn/yAwvN+sGR0zYGeDy0VKr4hvzNJix4dLdvdVes TaqGGO66DCz7WJQcwBL7j5jaF1VvECtURl/cHa9ZUXsQsNb7wMYnjH/P8b4P/fSj RGlrCzRmVcQN1ZnWKqo0dn218jSC5jbVOpyWrdCqYAoAs8ZJXkD0p8Mep1WkdmXV 34xrT8AkgzMAfr6pBw5qs6IGq9QSljH0z7nBPSkzM+7UB0E2F3kHizWUs+1B3vbZ 15fHWLWrSMluEXqp6F6Kgzp1k7XfR/F2oqw7UZ4+5BZ709qBFHTZ+TrVWVXDh9DA ==
X-ME-Sender: <xms:esVYWngkPglqbbvEwZcGTTDdIq_BCUxYSIdGOjtePK0A492jd65upQ>
Received: from [10.10.10.104] (pool-108-16-208-234.phlapa.fios.verizon.net [108.16.208.234]) by mail.messagingengine.com (Postfix) with ESMTPA id 8926724600; Fri, 12 Jan 2018 09:26:02 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Jonathan Rudenberg <jonathan@titanous.com>
In-Reply-To: <F3477AAE-9C23-4FBE-B88D-E3ABC3CFB60D@ipifony.com>
Date: Fri, 12 Jan 2018 09:26:01 -0500
Cc: acme@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <368464C2-B843-4F52-9FA8-8052A43589F3@titanous.com>
References: <F3477AAE-9C23-4FBE-B88D-E3ABC3CFB60D@ipifony.com>
To: "Matthew D. Hardeman" <mhardeman@ipifony.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Nt7s5sbW-dDoPR_b_cT6TDBDAlA>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 14:26:06 -0000

> On Jan 11, 2018, at 22:46, Matthew D. Hardeman <mhardeman@ipifony.com> wrote:
> 
> Hi, guys,
> 
> I’m entirely new to this list and not sure whether or not I’m welcome, but I have some comments on the ALPN idea.
> 
> In order to actually be an improvement in security, the ALPN needs to be more than a mere marker of support.

I don’t believe this is true. I’ve already established that there are no common TLS servers that blindly repeat back ALPN protocols, and this is expected because RFC 7301 does not allow it: https://tools.ietf.org/html/rfc7301#section-3.2

> Consider:  The new mechanism is implemented and Let’s Encrypt deploys.
> 
> Customer’s of not-secure-shared-webhost-A complain that they can’t get validations via this easy mechanism.  (The complaint would actually likely originate internally by their own development staff.)
> 
> Rather than do the work to ALSO fix the insecure aspects of the infrastructure, they’ll hastily patch in the “acme" name.

This would be a vulnerability in the hosting provider, not in ACME or any ACME CA, in the same way that we wouldn’t blame the CA if a DNS provider allowed anyone to write _acme-challenge TXT records.

The reason why TLS-SNI-01/02 are in the process of being removed is a bit different, the widespread vulnerability in the shared hosting providers existed _before_ ACME, and so it makes sense to work around it to avoid unnecessarily putting users at risk. This is not the case for the proposed new method.

> To add security, perhaps the SNI that is sent should be the actual domain label that is being validated, along with the “acme” ALPN name.

This is where we are headed, I’ll be posting a new TLS-ALPN proposal today based on the feedback from Roland.

> At this point, an actual ALPN extension should negotiate the authentication, with the server having the opportunity to bind the proper target name to a desired authentication and then if and only if the server has available the account key credentials of the requestor, would it be able to answer with a proper authentication.

It’s important that the account key is not required to be online for authorization, as it allows separation of privilege, the account key can be kept safely away from publicly exposed frontend servers. A random token is sufficient, I’m not aware of any reason why requiring the account key to be online would improve security.

Jonathan

v2.23.0 | Report a Bug | By Email