IETF Logo Mail Archive

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

Richard Barnes <rlb@ipv.sx> Fri, 13 November 2015 01:01 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ED201A8BB4 for <acme@ietfa.amsl.com>; Thu, 12 Nov 2015 17:01:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_36=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ZHiuXlSrumg for <acme@ietfa.amsl.com>; Thu, 12 Nov 2015 17:01:39 -0800 (PST)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC60E1B3BA8 for <acme@ietf.org>; Thu, 12 Nov 2015 17:01:38 -0800 (PST)
Received: by ykdr82 with SMTP id r82so123030731ykd.3 for <acme@ietf.org>; Thu, 12 Nov 2015 17:01:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv_sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=n6/sWT2TBSkHlO2n7ndUl9Xsg/mvRJcY6QpdsynLj3E=; b=i2SraX/jcTgymq3S1KL0B4WozrmQx2xJAs4k0iRM2UklFfeZfoIEvC7rWG/XChb1c9 7oktdfhclduUqWzURdFUPOdyAByAF3RGNgyPcClHTNUkHK/hsuGws0ja7eGG1ergtGZo jR//e6qvOPHKv6HecBUX8KtV56B//NKxFwhzv4CiSMbMibk7yX05K/rt+ZiYxV8tQ54q x+4BPBNSnVkmba0GosLnOwxjBfGwEEGiCOwfBfZhE9nnEF3MgtLVozEhOPMM8uVjCMQe hd0DX/YdOtVrUYZV+XD+2txRZMA//ckHZPz3zg51po3LG9Z/eYiR+N+RkQTRq3Dgjra8 iI2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=n6/sWT2TBSkHlO2n7ndUl9Xsg/mvRJcY6QpdsynLj3E=; b=f9AFiZixtdqNYW8lIgFsn3BLPg7rby1EQ+vXPn5MU1vFYtlz+c0e9CoG0tPeee5+P/ aSEzT2YTL1t8Iw6rOSl+qmkV91VZpPrQkKznRHotY+SKkQSzfPPrc1B1DIWUnWN5awKU QvPQZMnhriAXqkIrIzIerzQcd835m/HnfqXwfaama83sR5jKHe2654rUWq4AGOgUgc0H CmmUUOq3bgMEs0RPFV0jmkeKX8e80dzpum0v1tQY3pl98aIL4iSj4+d4QpTGZ7LmTsLG qQCQ/nqqI+ZORRmzExe8syVlTg1z1mLGrJ3Xbpt1MhK8wFzWNaT69ttQHckGFCljOZBa kbUQ==
X-Gm-Message-State: ALoCoQlsGRrgZLYZQ4PLV5JM+E2OnilI2WkUFkhleODsMadj8a27pBuXN/ME2C4/+h/kOtGTGgsi
MIME-Version: 1.0
X-Received: by 10.13.227.193 with SMTP id m184mr1609217ywe.16.1447376498041; Thu, 12 Nov 2015 17:01:38 -0800 (PST)
Received: by 10.31.58.14 with HTTP; Thu, 12 Nov 2015 17:01:37 -0800 (PST)
In-Reply-To: <CABsBmKMv0fJ5Sf4p3UCWFpnhaBsWgrWtHC9SxEPAZVv2cYHArQ@mail.gmail.com>
References: <20151113004436.GB18430@eff.org> <CABsBmKMv0fJ5Sf4p3UCWFpnhaBsWgrWtHC9SxEPAZVv2cYHArQ@mail.gmail.com>
Date: Thu, 12 Nov 2015 20:01:37 -0500
Message-ID: <CAL02cgT-4qRAqJ5aYT-_59s6-83w55=7J=Z98VB78YuPsycM=w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Bryan Livingston <bryanlivingston@gmail.com>
Content-Type: multipart/related; boundary="94eb2c0773ba0647cf0524619aa0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/S8AyvB_UmJPHH9ZSsYtFxhvT1_I>
Cc: Peter Eckersley <pde@eff.org>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Content-Type and file extensions for HTTP01 challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2015 01:01:41 -0000

Hey Bryan,

Thanks for bringing these issues up.  Just to be clear, you're not running
into a requirement to set a Content-Type, right?  Rather, it's that IIS
doesn't handle file names without extensions very gracefully.

Apologies for not knowing IIS, but is there a way to do some local config
to have IIS treat the extensionless files correctly? A .htaccess file, by
analogy to Apache.

This obviously isn't the right list for discussing detailed deployment
issues, but I'd like to figure out if it's possible to hack around these
problems before we bake them into the spec.

--Richard


On Thu, Nov 12, 2015 at 7:57 PM, Bryan Livingston <bryanlivingston@gmail.com
> wrote:

> I'd like to advocate for 2 or 3 with a .txt extension added as it will
> just work in all known default IIS configurations.
>
> On IIS if there's no mime type (and there's not a mime type for
> extensionless files by default) then no file can be served. So adding a
> web.config file is manditory for us.
>
> But that can still cause problems. Here's a screenshot of what happens of
> the user happened to already have an extensionless mime type set on their
> server.
>
> [image: Inline image 1]
>
> On top of that there's still the problem of the handler mappings, which is
> caused by ASP.net eating all the extensionless requests, even if there's a
> static file present. The fix for that is described here:
> http://stackoverflow.com/questions/11473632/extensionless-image-file-not-visible-in-iis7-5
>
> On Thu, Nov 12, 2015 at 5:44 PM, Peter Eckersley <pde@eff.org> wrote:
>
>> https://github.com/ietf-wg-acme/acme/pull/40 was just merged, but we
>> didn't actually get consensus that dropping Content-Type restrictions
>> altogether was a good idea.
>>
>> The options are:
>>
>>  0.keep the old spec (Content-Type application/jose+json, no file
>>    extensions allowed)
>>
>>  1 keep the application/jose+json Content-Type requirement, add or allow
>>    a .jose file extension in the challenge
>>
>>  2 switch to text/plain but add or allow a .txt file extension
>>
>>  3 drop all Content-Type requirements (PR #40)
>>
>>  4 leave the matter totally up to the CA (it can tell the client if
>>    there's a Content-Type requirement, and if so what it is)
>>
>> I believe the purpose of the Content-Type requirement was to mitigate
>> against file-dropping attacks in web applications.  Everyone agrees that
>> option 0 is a bad spot on the security/usability tradeoff.  But is 3 the
>> best answer?  Can we keep some anti-file-dropping protection without
>> making manual authentication a pain?  Or are the two inherently the same
>> thing?
>>
>>
>> --
>> Peter Eckersley                            pde@eff.org
>> Chief Computer Scientist          Tel  +1 415 436 9333 x131
>> Electronic Frontier Foundation    Fax  +1 415 436 9993
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>>
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
>

v2.23.0 | Report a Bug | By Email