Re: [Acme] Predictability of http-01 challenge response
Niklas Keller <me@kelunik.com> Tue, 26 January 2016 10:58 UTC
Return-Path: <me@kelunik.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 758BF1ACEC7 for <acme@ietfa.amsl.com>; Tue, 26 Jan 2016 02:58:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.027
X-Spam-Level:
X-Spam-Status: No, score=-1.027 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vj7WQQ7j5eVE for <acme@ietfa.amsl.com>; Tue, 26 Jan 2016 02:58:53 -0800 (PST)
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C23F1ACECD for <acme@ietf.org>; Tue, 26 Jan 2016 02:58:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1453805930; l=4687; s=domk; d=kelunik.com; h=Content-Type:Cc:To:From:Subject:Date:References:In-Reply-To: MIME-Version; bh=PWXuCcMrH8OOGYuaZ2KLzp7AqRTh1aeeHBXSEqw1ofQ=; b=PnpTNgMp/6vYen4DWr75JjpQoqGPMSfBAXMC4/hZuvgzU6KIOs9KPt8Qao3Kb+9Tcpv 88qVvP8J0bjbXyUGZuggUmT1yHt1g9Z3qPe3tboms9Q5JBui95PwX6z3WkOuk56DM03EE rsEIgArBqxXKtGuYBWO2rZnu5pJvIajceFU=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3c6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f44.google.com ([74.125.82.44]) by smtp.strato.de (RZmta 37.15 AUTH) with ESMTPSA id z068ecs0QAwoTQf (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for <acme@ietf.org>; Tue, 26 Jan 2016 11:58:50 +0100 (CET)
Received: by mail-wm0-f44.google.com with SMTP id n5so123710124wmn.0 for <acme@ietf.org>; Tue, 26 Jan 2016 02:58:50 -0800 (PST)
X-Gm-Message-State: AG10YOQ6Za/lc/D2xmqul7cQS09J8PiZtsUiD1/fCL1a3QOfjBOoOTMEuaYju/EsqVmvT2xq4BUR6hA6BKOYTA==
MIME-Version: 1.0
X-Received: by 10.28.232.221 with SMTP id f90mr22521578wmi.60.1453805930079; Tue, 26 Jan 2016 02:58:50 -0800 (PST)
Received: by 10.194.78.133 with HTTP; Tue, 26 Jan 2016 02:58:50 -0800 (PST)
In-Reply-To: <20160126014833.GA16635@andover>
References: <20160126014833.GA16635@andover>
Date: Tue, 26 Jan 2016 11:58:50 +0100
X-Gmail-Original-Message-ID: <CANUQDCjRrv80t-2K-3A9FjAQLiyOJ4mc9ArLyQDgPBfKvaV38Q@mail.gmail.com>
Message-ID: <CANUQDCjRrv80t-2K-3A9FjAQLiyOJ4mc9ArLyQDgPBfKvaV38Q@mail.gmail.com>
From: Niklas Keller <me@kelunik.com>
To: Hugo Landau <hlandau@devever.net>
Content-Type: multipart/alternative; boundary="001a1147bd3208fff1052a3a924b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/ggwIVJaJcJX-wI-95MbKKwAYiiI>
Cc: IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Predictability of http-01 challenge response
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2016 10:58:55 -0000
2016-01-26 2:48 GMT+01:00 Hugo Landau <hlandau@devever.net>: > Someone pointed out to me that the http-01 challenge can be satisfied > using no knowledge other than the account fingerprint. > > For example, as an nginx config: > > location ~ "^/\.well-known/acme-challenge/(-_a-zA-Z0-9]+)$" { > default_type text/plain; > return 200 "$1.ACCOUNT_THUMBPRINT"; > } > > Was this an intended design feature of the http-01 challenge? > > Perhaps more pertinently I should ask, is this property desirable? > > This reduces the http-01 challenge to what is essentially an account key > nomination, alebit with a random token (probably needed to satisfy CA/B > forum requirements). I've previously suggested that e.g. the DNS > challenge be changed similarly. In that regard it's quite convenient. > I'm just mildly worried that this property doesn't seem to have been > particularly noticed or discussed, in terms of its security properties. > > Musing a little, if this property was deemed desirable, the possibility > of multiple account keys could be better accommodated by including say, > a hash of the account key thumbprint in the URL. Reasoning: The response > value shouldn't match the request value to guard against webservers > which for some reason echo everything they see. A hash of an account key > thumbprint is sufficient to identify an account amongst a list of known > accounts, for the purposes of determining which account an ACME server > is soliciting an endorsement for. > > OTOH if this property was deemed undesirable the token in the URL could > be hashed; the response would then prove the server knew the token. > The challenge is to provide the payload on a specific host, not to know some random token. If a server knows the account finger print, it can solve challenges made to it, but that doesn't help to get certificates for other hostnames. Regards, Niklas Keller
- [Acme] Predictability of http-01 challenge respon… Hugo Landau
- Re: [Acme] Predictability of http-01 challenge re… Niklas Keller
- Re: [Acme] Predictability of http-01 challenge re… Jacob Hoffman-Andrews