Re: [Acme] ACME vulnerabilities in SimpleHTTP and DVSNI due to common webservers' default virtual host semantics
Peter Eckersley <pde@eff.org> Thu, 24 September 2015 05:55 UTC
Return-Path: <pde@mail2.eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B3A31B316C for <acme@ietfa.amsl.com>; Wed, 23 Sep 2015 22:55:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sCdqckL7sicF for <acme@ietfa.amsl.com>; Wed, 23 Sep 2015 22:55:52 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE8E41B3154 for <acme@ietf.org>; Wed, 23 Sep 2015 22:55:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=LtWz8W5p410vn2bdTmcfGEe6L/c2b2YnwE+p+oDdTdY=; b=x6JkN8mnoVQQLhXpgpJECbaowQVsH1VU9fyh/Ey1zEQpd8tJbJaFeuZRoOK0Uo52iYTYfyNsLrYoxZ9Nx6dv40pM6EvAOxyrXYUuxhQk+zuDt3jH/t1/id6P0RH+EKv2XbbRuzEOlEPIZtlUgefC9MJXsZrUqQZDSXIvTyyWwUU=;
Received: ; Wed, 23 Sep 2015 22:55:52 -0700
Date: Wed, 23 Sep 2015 22:55:52 -0700
From: Peter Eckersley <pde@eff.org>
To: Richard Barnes <rlb@ipv.sx>
Message-ID: <20150924055552.GM28925@eff.org>
References: <20150922215258.GJ17243@eff.org> <CAL02cgTaaaEtX1mcLrP6fxqMp_Q+9y+f+E0DYFedzMaJ5nXDRw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL02cgTaaaEtX1mcLrP6fxqMp_Q+9y+f+E0DYFedzMaJ5nXDRw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/i11sWpGVbrXpM4bqNuREQAAZXYk>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] ACME vulnerabilities in SimpleHTTP and DVSNI due to common webservers' default virtual host semantics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2015 05:55:53 -0000
On Wed, Sep 23, 2015 at 06:19:19PM -0700, Richard Barnes wrote: > I have to admit that I'm not super sanguine about fixing this. On the > one hand, hosting providers will always be a point of vulnerability > for automated verification that uses control of a named host -- the > hosting provider controls the whole stack for the domain, after all. > So it seems a little quixotic to chase after vulnerabilities at the > hosting provider. On the other hand, it does seem good to address > obvious, likely ways that a provider could *accidentally* cause > attacks. Although we could argue that this issue is the responsibility of hosting providers and/or the webserver codebases themselves, the reality is that this situation is probably not exploitable prior to ACME deployment (unless one of the current HTTP DV CAs uses HTTPS?). Rather than expecting a potentially very large number of deployed systems to change their behaviour as a result of ACME entering use, it seems more prudent to design defensively around the behaviour of deployed systems. > > I am OK with dropping the TLS option for "simpleHttp" validations. > (We can always make SimpleHTTPS later.) I haven't really evaluated > the DVSNI fix. I believe the simpleHttp fix is urgent -- there are likely to be a lot of vulnerable servers. The DVSNI fix may not be as urgent, because only systems that allow tenants to deploy their own certs would be affected, but we should definitely include it in any breaking change we're making to DVSNI, rather than waiting to see if we need to make another breaking change shortly down the road. -- Peter Eckersley pde@eff.org Chief Computer Scientist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
- [Acme] ACME vulnerabilities in SimpleHTTP and DVS… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Richard Barnes
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Andrew Ayer
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Michael Richardson
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Michael Richardson