Re: [Acme] Issue: Allow ports other than 443
Eliot Lear <lear@cisco.com> Thu, 26 November 2015 08:36 UTC
Return-Path: <lear@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 793FA1B30FF for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 00:36:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.085
X-Spam-Level:
X-Spam-Status: No, score=-15.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id edDXABHkHcNQ for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 00:36:50 -0800 (PST)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA08B1B2B4F for <acme@ietf.org>; Thu, 26 Nov 2015 00:36:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3540; q=dns/txt; s=iport; t=1448527010; x=1449736610; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=k7ZuTrnxXjUs16pUQXT52h6cOG/QMK/5r8P5lsWVVGs=; b=jBOiwH8RgVTBCxIRjF2yJOyI1PZRo15KvJyGEWSXsSG6qtUQYCa9IeGE 16j7K1rl8K7pBC1Z9ND8+gVJ740qeNU0BaDIdMlIWvknTXMgr1lzpBdPo 182/JsC2gHFZ2h2/a/CzhRcC4iiK5tUx/m4o83yCFmSDXel9smaFC9UEo Q=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CoBACOw1ZW/xbLJq1exRKGDwKCAwEBAQEBAYELhDUBAQQjVQEQCwQBEwkWCwICCQMCAQIBNwENBg0IAQGIKq19kDUBAQEBAQEBAQEBAQEBAQEBAQEBAQEPCYtShEKDM4FEAQSNIok1glyBYoh3iSCTPmOCER2BVz2GFAEBAQ
X-IronPort-AV: E=Sophos;i="5.20,346,1444694400"; d="asc'?scan'208,217";a="606812516"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Nov 2015 08:36:47 +0000
Received: from [10.61.209.38] ([10.61.209.38]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id tAQ8alaX031781; Thu, 26 Nov 2015 08:36:47 GMT
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <5e9b22a3942d4a39981878b13e4a7752@usma1ex-dag1mb1.msg.corp.akamai.com> <0630035C-E4F6-41AA-A339-7101B448F0FA@vigilsec.com> <CABkgnnUxSwMmOR=QVE-gMvj9dHW6Tk2Z=EO7RDx6E5zVAp_SrQ@mail.gmail.com> <20151124033325.GH18430@eff.org> <56545B4C.3020406@cisco.com> <CAMm+Lwg-MktfPZ0TkRgKsTan2dzDSHuaRsrCcfF-Y-HY6aTKmw@mail.gmail.com>
From: Eliot Lear <lear@cisco.com>
Message-ID: <5656C49E.6070701@cisco.com>
Date: Thu, 26 Nov 2015 09:36:46 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <CAMm+Lwg-MktfPZ0TkRgKsTan2dzDSHuaRsrCcfF-Y-HY6aTKmw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="nOkfl2UKvoegVdvU63oL99t9Hcn0k6epm"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/f2JHip0uS36LCt_-iGkzk9XsM_A>
Cc: Russ Housley <housley@vigilsec.com>, Peter Eckersley <pde@eff.org>, Martin Thomson <martin.thomson@gmail.com>, IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Issue: Allow ports other than 443
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 08:36:51 -0000
Yes. The real issue here is that the cert contains the hostname and not the port. And so running the test on on other than 443 would provide for what amounts to a privilege escalation attack. On 11/26/15 4:18 AM, Phillip Hallam-Baker wrote: > I am getting really nervous about allowing any port other than 443. > > I just did a scan of a very recent clean install of Windows and there > are a *TON* of Web servers running for apps that didn't mention they > had one. > > The thing is that if I am running a process on any sort of shared > host, I can pretty easily spawn a server and start applying for certs > for other domains. Not only can I get .well-known, I can have any host > name I like.
- [Acme] Issue: Allow ports other than 443 Salz, Rich
- Re: [Acme] Issue: Allow ports other than 443 Russ Housley
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Douglas Calvert
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Randy Bush
- Re: [Acme] Issue: Allow ports other than 443 Peter Eckersley
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Randy Bush
- Re: [Acme] Issue: Allow ports other than 443 Hugo Landau
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Randy Bush
- Re: [Acme] Issue: Allow ports other than 443 Kathleen Moriarty
- Re: [Acme] Issue: Allow ports other than 443 Yoav Nir
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Niklas Keller
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Niklas Keller
- Re: [Acme] Issue: Allow ports other than 443 Martin Thomson
- Re: [Acme] Issue: Allow ports other than 443 Peter Eckersley
- Re: [Acme] Issue: Allow ports other than 443 Phillip Hallam-Baker
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear
- Re: [Acme] Issue: Allow ports other than 443 Stephen Farrell
- Re: [Acme] Issue: Allow ports other than 443 Yoav Nir
- Re: [Acme] Issue: Allow ports other than 443 Stephen Farrell
- Re: [Acme] Issue: Allow ports other than 443 Rob Stradling
- Re: [Acme] Issue: Allow ports other than 443 Yoav Nir
- Re: [Acme] Issue: Allow ports other than 443 Darren J Moffat
- Re: [Acme] Issue: Allow ports other than 443 Eliot Lear