Re: [Acme] ACME vulnerabilities in SimpleHTTP and DVSNI due to common webservers' default virtual host semantics
Peter Eckersley <pde@eff.org> Thu, 24 September 2015 04:52 UTC
Return-Path: <pde@mail2.eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 169431B3048 for <acme@ietfa.amsl.com>; Wed, 23 Sep 2015 21:52:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hkhee3nCUhCL for <acme@ietfa.amsl.com>; Wed, 23 Sep 2015 21:52:34 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44F751B3043 for <acme@ietf.org>; Wed, 23 Sep 2015 21:52:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=4V2yJiUvEyPl4NEwo9aLCHgpa5eDO24KrtPH6bGFyDU=; b=y/kS4x2EDZnVfX9dkN5zSsCUKnWQqqMrqmwH9NkxLKPf+YZ4MhuS0TcqZyMaybSQGbuhfY4Uz+4p/lyh2mGA5d0L2I8khbUYh6BFCnJQnYkWv7f/H6AIijKD6l9EHpdvEJSSolXDlCjALewlN0ABpvxC/oTid7NPWTAvJqn2lso=;
Received: ; Wed, 23 Sep 2015 21:52:34 -0700
Date: Wed, 23 Sep 2015 21:52:34 -0700
From: Peter Eckersley <pde@eff.org>
To: Andrew Ayer <agwa@andrewayer.name>
Message-ID: <20150924045234.GL28925@eff.org>
References: <20150922215258.GJ17243@eff.org> <CAL02cgTaaaEtX1mcLrP6fxqMp_Q+9y+f+E0DYFedzMaJ5nXDRw@mail.gmail.com> <20150923211646.38db2ba94b986acac6caa431@andrewayer.name>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150923211646.38db2ba94b986acac6caa431@andrewayer.name>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/WmS6sn_eyBYBu8bYELnWGzBWKBA>
Cc: Richard Barnes <rlb@ipv.sx>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] ACME vulnerabilities in SimpleHTTP and DVSNI due to common webservers' default virtual host semantics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2015 04:52:36 -0000
On Wed, Sep 23, 2015 at 09:16:46PM -0700, Andrew Ayer wrote: > > I am OK with dropping the TLS option for "simpleHttp" validations. > > (We can always make SimpleHTTPS later.) > > One annoying implication with dropping the TLS option is that it makes > it difficult to complete the SimpleHTTP challenge when your HTTP site > redirects to HTTPS, as best practice dictates. You'd have to > special-case an exception to allow the challenge response to be served > over HTTP (this is annoying to do in Apache). > > This isn't a problem if the ACME server follows redirects when > validating the challenge. The draft doesn't currently require or > forbid following redirects, so implementations will probably end up > doing whatever their HTTP client library does by default. Boulder does indeed follow redirects, so that's our current plan. I don't think it would be a problem to require following them, or at least N layers of them. > Could we require the ACME server to follow redirects as long as the > only change in the URI is the scheme? This should be safe since, > presumably, the web server would only be configured to serve such a > redirect if an HTTPS virtual host for that hostname was configured. -- Peter Eckersley pde@eff.org Chief Computer Scientist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
- [Acme] ACME vulnerabilities in SimpleHTTP and DVS… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Richard Barnes
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Andrew Ayer
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Michael Richardson
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Michael Richardson