Re: [Acme] ACME breaking change: Most GETs become POSTs
Adam Roach <adam@nostrum.com> Mon, 10 September 2018 15:54 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8588C128CF2 for <acme@ietfa.amsl.com>; Mon, 10 Sep 2018 08:54:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.87
X-Spam-Level:
X-Spam-Status: No, score=-1.87 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_FILL_THIS_FORM_SHORT=0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h-JkA0QZpDOo for <acme@ietfa.amsl.com>; Mon, 10 Sep 2018 08:54:04 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00FBD128B14 for <acme@ietf.org>; Mon, 10 Sep 2018 08:54:03 -0700 (PDT)
Received: from Svantevit.roach.at (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w8AFrwoN085177 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 10 Sep 2018 10:53:59 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.roach.at
To: Erica Portnoy <erica@eff.org>, acme@ietf.org
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <CAL02cgQ1BAzYH4f1nUD3fO0dKTc4mVrJ_NnoKq+Zb0BjT9J35Q@mail.gmail.com> <CAL02cgTDMqQ0jPojqUBAVBW=TRFGU0_ntfcLGUsTbPtvfitDKQ@mail.gmail.com> <A53CF702-D5DA-4A68-B677-4707A1C2E990@akamai.com> <CABcZeBP95mUro1MO=omM7PYHC9i7v9PoohuxfNK9tPSHmwwUgQ@mail.gmail.com> <294b4728-e1e8-07f6-db6e-245a7fac6220@eff.org>
From: Adam Roach <adam@nostrum.com>
Message-ID: <1a4c7ac9-d326-8875-b799-13dad8567605@nostrum.com>
Date: Mon, 10 Sep 2018 10:53:53 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <294b4728-e1e8-07f6-db6e-245a7fac6220@eff.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Vqs8drdKR-8AJ7jp3t0WN1NeVh0>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Sep 2018 15:54:06 -0000
[as an individual] On 9/7/18 6:48 PM, Erica Portnoy wrote: > If someone's in a position to watch traffic going *from* a server > trying to authenticate, they can certainly watch traffic going *to* > that server, and note the various domain names being hosted on that > server (since no encrypted sni :( ). And they could almost certainly > get that same information from a reverse DNS, as well. There's a lot of "probably" here (which I would cast as "maybe"). The prevalence of shared hosting providers makes SNI correlation significantly less problematic than information gained by trolling ACME servers under the current design. It's also worth noting that the TLS working group is working on approaches to encrypt SNI. I think you're also overestimating the utility of reverse DNS on the Internet today. Just grabbing the first thing I find in a tcpdump on my network: $ dig +short api.ambientweather.com 67.195.197.76 $ dig +short -x 67.195.197.76 p11ats-i.geo.vip.bf1.yahoo.com. > You can't use precisely that method for phone numbers and contact > email addresses, to be sure. And that's where the most serious damage comes into play. /a
- [Acme] ACME breaking change: Most GETs become POS… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Felipe Gasper
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Felipe Gasper
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Tim Hollebeek
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Eric Rescorla
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Felix Fontein
- Re: [Acme] ACME breaking change: Most GETs become… Yaron Sheffer
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Eric Rescorla
- Re: [Acme] ACME breaking change: Most GETs become… Erica Portnoy
- Re: [Acme] ACME breaking change: Most GETs become… Alan Doherty
- Re: [Acme] ACME breaking change: Most GETs become… Erica Portnoy
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Alan Doherty