IETF Logo Mail Archive

Re: [Acme] Issue: Allow ports other than 443

Niklas Keller <me@kelunik.com> Wed, 25 November 2015 19:18 UTC

Return-Path: <me@kelunik.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 420931B2CDD for <acme@ietfa.amsl.com>; Wed, 25 Nov 2015 11:18:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.027
X-Spam-Level:
X-Spam-Status: No, score=-1.027 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c_-s5-56Dsw2 for <acme@ietfa.amsl.com>; Wed, 25 Nov 2015 11:18:27 -0800 (PST)
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 437221B2CD0 for <acme@ietf.org>; Wed, 25 Nov 2015 11:18:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1448479105; l=6500; s=domk; d=kelunik.com; h=Content-Type:Cc:To:From:Subject:Date:References:In-Reply-To: MIME-Version; bh=WDhN/9ft9D1rAS9LLQzwKMyKU7XMa3P1HDsqoa66FsY=; b=GsN6JRcO0YyGCdN9XYKG/Qt8tUMv2Yrqb96s67eJDyaOLy0/7schL3TrLDWVrUVB88z t95YR8Yg9uogxukf1m5PPNqxkgxfM0tv9XHMbRGbuLL/sGJifziHpS8CLcOAgKXVJjhCs QV94Ih3hvPN4D9PjSH+80IRJPbcBB60Czk0=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtOnI6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f51.google.com ([74.125.82.51]) by smtp.strato.de (RZmta 37.14 AUTH) with ESMTPSA id a00681rAPJIPSF2 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for <acme@ietf.org>; Wed, 25 Nov 2015 20:18:25 +0100 (CET)
Received: by wmww144 with SMTP id w144so82366575wmw.0 for <acme@ietf.org>; Wed, 25 Nov 2015 11:18:25 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.194.88.102 with SMTP id bf6mr26574558wjb.129.1448479105163; Wed, 25 Nov 2015 11:18:25 -0800 (PST)
Received: by 10.194.22.5 with HTTP; Wed, 25 Nov 2015 11:18:25 -0800 (PST)
In-Reply-To: <56549520.2050907@cisco.com>
References: <5e9b22a3942d4a39981878b13e4a7752@usma1ex-dag1mb1.msg.corp.akamai.com> <0630035C-E4F6-41AA-A339-7101B448F0FA@vigilsec.com> <CABkgnnUxSwMmOR=QVE-gMvj9dHW6Tk2Z=EO7RDx6E5zVAp_SrQ@mail.gmail.com> <20151124033325.GH18430@eff.org> <56545B4C.3020406@cisco.com> <m2io4ro83g.wl%randy@psg.com> <CAHbuEH4Yh-UUin1F0ajsRAHrzrEZ+eDraXd9xLxcnY5kQVxPUg@mail.gmail.com> <59394DAB-E7B3-487F-9DC0-2820709F5252@gmail.com> <56549520.2050907@cisco.com>
Date: Wed, 25 Nov 2015 20:18:25 +0100
X-Gmail-Original-Message-ID: <CANUQDCjMN5qTKakA02m4EiKRdBUkazFL_-esUn2LVm0dTBt1gQ@mail.gmail.com>
Message-ID: <CANUQDCjMN5qTKakA02m4EiKRdBUkazFL_-esUn2LVm0dTBt1gQ@mail.gmail.com>
From: Niklas Keller <me@kelunik.com>
To: Eliot Lear <lear@cisco.com>
Content-Type: multipart/alternative; boundary="047d7bf19872872d8d0525625201"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/XZX72n876e5ROrfV6QvT2qqG_BM>
Cc: Peter Eckersley <pde@eff.org>, IETF ACME <acme@ietf.org>, Russ Housley <housley@vigilsec.com>, Yoav Nir <ynir.ietf@gmail.com>, Randy Bush <randy@psg.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: [Acme] Issue: Allow ports other than 443
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 19:18:33 -0000

It's an issue with shared hosting where users have shell access but no root
access.

2015-11-24 17:49 GMT+01:00 Eliot Lear <lear@cisco.com>:

> Yes, thanks, Yoav.  Apologies to Randy and Kathleen for my terseness.
>
> Eliot
>
>
> On 11/24/15 5:46 PM, Yoav Nir wrote:
> > I think Eliot meant RFC 5785 /.well-known/ locations, rather than well
> known ports
> >
> > Yoav
> >
> >> On 24 Nov 2015, at 6:37 PM, Kathleen Moriarty <
> kathleen.moriarty.ietf@gmail.com> wrote:
> >>
> >> I agree with Eliot, I don't think a scan is needed to make a decision
> >> here.  Having managed several networks that would not have allowed you
> >> access from some random scanner, I don't think you'll get all the data
> >> you are looking for.  In a well managed network, the IDS/IPS should
> >> detect that it is a scan and block all future probes once you hit a
> >> small number of ports/IPs.  So you may get a small sample with
> >> everything else failing within an address block.  Granted, not all
> >> networks are managed well and you may get a good amount of data.
> >>
> >> If this connection was expected to a few servers, then a network
> >> manager might just allow those only on the assigned port.
> >>
> >> Without any hat on, I agree that a port + 443 as an alternate is a good
> plan.
> >>
> >> Kathleen
> >>
> >> On Tue, Nov 24, 2015 at 8:11 AM, Randy Bush <randy@psg.com> wrote:
> >>>> Isn't this precisely what .well-known was meant to address?
> >>> fun small research project.  what percentage of well-known ports can
> >>> you connect to from the outside to a machine inside cisco?  hell, to
> >>> what percentage of well-known ports outside cisco can you reach from
> >>> inside?
> >>>
> >>> well-known does not correlate well with open to access by IT security
> >>> departments.
> >>>
> >>> randy
> >>>
> >>> _______________________________________________
> >>> Acme mailing list
> >>> Acme@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/acme
> >>
> >>
> >> --
> >>
> >> Best regards,
> >> Kathleen
> >>
> >> _______________________________________________
> >> Acme mailing list
> >> Acme@ietf.org
> >> https://www.ietf.org/mailman/listinfo/acme
> >
>
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
>

v2.23.0 | Report a Bug | By Email