IETF Logo Mail Archive

Re: [Acme] Issue: Allow ports other than 443

Eliot Lear <lear@cisco.com> Thu, 26 November 2015 08:36 UTC

Return-Path: <lear@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 793FA1B30FF for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 00:36:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.085
X-Spam-Level:
X-Spam-Status: No, score=-15.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id edDXABHkHcNQ for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 00:36:50 -0800 (PST)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA08B1B2B4F for <acme@ietf.org>; Thu, 26 Nov 2015 00:36:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3540; q=dns/txt; s=iport; t=1448527010; x=1449736610; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=k7ZuTrnxXjUs16pUQXT52h6cOG/QMK/5r8P5lsWVVGs=; b=jBOiwH8RgVTBCxIRjF2yJOyI1PZRo15KvJyGEWSXsSG6qtUQYCa9IeGE 16j7K1rl8K7pBC1Z9ND8+gVJ740qeNU0BaDIdMlIWvknTXMgr1lzpBdPo 182/JsC2gHFZ2h2/a/CzhRcC4iiK5tUx/m4o83yCFmSDXel9smaFC9UEo Q=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CoBACOw1ZW/xbLJq1exRKGDwKCAwEBAQEBAYELhDUBAQQjVQEQCwQBEwkWCwICCQMCAQIBNwENBg0IAQGIKq19kDUBAQEBAQEBAQEBAQEBAQEBAQEBAQEPCYtShEKDM4FEAQSNIok1glyBYoh3iSCTPmOCER2BVz2GFAEBAQ
X-IronPort-AV: E=Sophos;i="5.20,346,1444694400"; d="asc'?scan'208,217";a="606812516"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Nov 2015 08:36:47 +0000
Received: from [10.61.209.38] ([10.61.209.38]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id tAQ8alaX031781; Thu, 26 Nov 2015 08:36:47 GMT
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <5e9b22a3942d4a39981878b13e4a7752@usma1ex-dag1mb1.msg.corp.akamai.com> <0630035C-E4F6-41AA-A339-7101B448F0FA@vigilsec.com> <CABkgnnUxSwMmOR=QVE-gMvj9dHW6Tk2Z=EO7RDx6E5zVAp_SrQ@mail.gmail.com> <20151124033325.GH18430@eff.org> <56545B4C.3020406@cisco.com> <CAMm+Lwg-MktfPZ0TkRgKsTan2dzDSHuaRsrCcfF-Y-HY6aTKmw@mail.gmail.com>
From: Eliot Lear <lear@cisco.com>
Message-ID: <5656C49E.6070701@cisco.com>
Date: Thu, 26 Nov 2015 09:36:46 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <CAMm+Lwg-MktfPZ0TkRgKsTan2dzDSHuaRsrCcfF-Y-HY6aTKmw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="nOkfl2UKvoegVdvU63oL99t9Hcn0k6epm"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/f2JHip0uS36LCt_-iGkzk9XsM_A>
Cc: Russ Housley <housley@vigilsec.com>, Peter Eckersley <pde@eff.org>, Martin Thomson <martin.thomson@gmail.com>, IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Issue: Allow ports other than 443
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 08:36:51 -0000

Yes.  The real issue here is that the cert contains the hostname and not
the port.  And so running the test on on other than 443 would provide
for what amounts to a privilege escalation attack.

On 11/26/15 4:18 AM, Phillip Hallam-Baker wrote:
> I am getting really nervous about allowing any port other than 443.
>
> I just did a scan of a very recent clean install of Windows and there
> are a *TON* of Web servers running for apps that didn't mention they
> had one.
>
> The thing is that if I am running a process on any sort of shared
> host, I can pretty easily spawn a server and start applying for certs
> for other domains. Not only can I get .well-known, I can have any host
> name I like.

v2.23.0 | Report a Bug | By Email