IETF Logo Mail Archive

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

Bryan Livingston <bryanlivingston@gmail.com> Fri, 13 November 2015 14:09 UTC

Return-Path: <bryanlivingston@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 122A51A886D for <acme@ietfa.amsl.com>; Fri, 13 Nov 2015 06:09:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kPhObMLyjoK4 for <acme@ietfa.amsl.com>; Fri, 13 Nov 2015 06:09:07 -0800 (PST)
Received: from mail-lb0-x244.google.com (mail-lb0-x244.google.com [IPv6:2a00:1450:4010:c04::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C8DF1A88C9 for <acme@ietf.org>; Fri, 13 Nov 2015 06:09:06 -0800 (PST)
Received: by lblw10 with SMTP id w10so5370869lbl.2 for <acme@ietf.org>; Fri, 13 Nov 2015 06:09:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=L2OJNuFIZosL0WySXve2rTB/8A0Wkxk/+siTmMqdfl0=; b=Vh3bIy1YipcXyEpJMOavs+ruTbPd4OvSgzxPZz2OlWv82ObsJ1F7ucXMvPSBxK8naw jQIGNa5WBHorYASsMYA/dJSOb+KOOvXEYTA0hYDNrpiGmLUc/5nAS05zGx0lPU1OZMN6 YAcjI4Pw+zOz2A0CHzvSxh3L2gq8qrYX1gPNDXPxlhCWImAm1xEYY3MZirblfjcNrB6Q g8vbCeCGmLd77o3PCHoWsQKHl0pd9ZyfHI70P6kBK1Iim2Yq6IuSQWS5h6uB9uN1Ps0A +TWMcUKXIHXjXVEOjEaCK86dvAwgHI8c0jlsfdlCadw5iMwhVGz8oaVVZBefeRL64ABf prUw==
MIME-Version: 1.0
X-Received: by 10.112.172.138 with SMTP id bc10mr10224478lbc.74.1447423744126; Fri, 13 Nov 2015 06:09:04 -0800 (PST)
Received: by 10.25.37.19 with HTTP; Fri, 13 Nov 2015 06:09:04 -0800 (PST)
In-Reply-To: <CAL02cgS5Fz7Z9i7xheMU+ANF0ow4a=Uw-SDdtYYrvMt3hsjSVA@mail.gmail.com>
References: <20151113004436.GB18430@eff.org> <CABkgnnU5EzaPA4o7OgnTBpSQCZxjD+QsSV=4_L2rOBeFAoauKA@mail.gmail.com> <20151113011259.GC18430@eff.org> <CANUQDCg6xK3esWSWbM3j8p+ywDBrVa+_4bofHtymsYf0SPeFbw@mail.gmail.com> <CAL02cgS5Fz7Z9i7xheMU+ANF0ow4a=Uw-SDdtYYrvMt3hsjSVA@mail.gmail.com>
Date: Fri, 13 Nov 2015 07:09:04 -0700
Message-ID: <CABsBmKO1UGQ_vmdiOoPJzZO6eF2S1dZt-02sWG5aEvmqB29KeQ@mail.gmail.com>
From: Bryan Livingston <bryanlivingston@gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="001a11c267141bb80905246c9af2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Z-pG9gKoMazfOh1TY_XqkB8UE1k>
Cc: Martin Thomson <martin.thomson@gmail.com>, Peter Eckersley <pde@eff.org>, Niklas Keller <me@kelunik.com>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Content-Type and file extensions for HTTP01 challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2015 14:09:11 -0000

I was hoping that the server could just add a .txt to the end of the answer
string location that it ask the client to make available on the web server.
My client would just work with no changes in that case, and the python
client might as well.

On Fri, Nov 13, 2015 at 6:56 AM, Richard Barnes <rlb@ipv.sx> wrote:

> Like I said before, the question here is not dropped file protection.
> That's something that admins need to prevent explicitly.  (If you're
> allowing untrusted clients to write to .well-known, they can already
> hijack your domain in several ways [1].)  The question here is whether
> we need to allow file extensions to avoid issues in deployment with
> some servers.
>
> I would still like to avoid adding a file extension, but supposing we
> did, what would it look like?  We can't just have the client
> unilaterally add an extension without telling the server, since the
> server needs to know what URI to query to get the validation response.
> ISTM that the right answer here would be to generalize and have the
> client specify the file name within .well-known/acme-challenge/ and
> send it to the server in its response.
>
> I'm not crazy about that solution, but I could probably live with it
> if we decide that it's too hard for admins to hack around having a
> standard name.  The only additional threat scenario that occurs to me
> is if there's some name within .well-known/acme-challenge/ that an
> untrusted client could co-opt into serving his challenge response
> (e.g., a simlink to untrusted).
>
> --Richard
>
> [1]
> http://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml#well-known-uris-1
>
> On Fri, Nov 13, 2015 at 2:28 AM, Niklas Keller <me@kelunik.com> wrote:
> > Once we add an extension, there will be default mime types in server
> > implementations for it for any webroot file. Where's the gain then? A
> > dropped file will just use the configured type. If you want to keep the
> > protection, we'll have to check the content type but don't allow an
> > extension, which would be bad for some servers to configure as others
> > pointed out, mainly IIS.
> >
> > Regards, Niklas
> >
> > 2015-11-13 2:12 GMT+01:00 Peter Eckersley <pde@eff.org>:
> >>
> >> I should have added another option, 3b, drop the Content-Type
> >> restriction but allow file extensions.
> >>
> >> Sounds like that would be a win on IIS.
> >>
> >> On Thu, Nov 12, 2015 at 05:05:53PM -0800, Martin Thomson wrote:
> >> > On 12 November 2015 at 16:44, Peter Eckersley <pde@eff.org> wrote:
> >> > > But is 3 the best answer?
> >> >
> >> > Of those presented, I think so.  I know that this isn't a great answer
> >> > (it's bad already, so bad must be OK), but being able to drop things
> >> > into .well-known opens a raft of other interesting attacks.
> >> >
> >> > More seriously, I think that the other options all have deployment
> >> > complications that far outweigh the marginal benefit that extra
> >> > checking might provide.
> >> >
> >> > _______________________________________________
> >> > Acme mailing list
> >> > Acme@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/acme
> >> >
> >>
> >> --
> >> Peter Eckersley                            pde@eff.org
> >> Chief Computer Scientist          Tel  +1 415 436 9333 x131
> >> Electronic Frontier Foundation    Fax  +1 415 436 9993
> >>
> >> _______________________________________________
> >> Acme mailing list
> >> Acme@ietf.org
> >> https://www.ietf.org/mailman/listinfo/acme
> >
> >
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
> >
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email