Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acme-tls-alpn-06: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Thu, 03 October 2019 16:41 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2521C1200B9; Thu, 3 Oct 2019 09:41:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5eHQwqvEaO-x; Thu, 3 Oct 2019 09:41:24 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAB251200B4; Thu, 3 Oct 2019 09:41:23 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x93GfGwU002199 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 3 Oct 2019 12:41:18 -0400
Date: Thu, 03 Oct 2019 09:41:15 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Cc: The IESG <iesg@ietf.org>, cpu@letsencrypt.org, acme@ietf.org, draft-ietf-acme-tls-alpn@ietf.org, acme-chairs@ietf.org
Message-ID: <20191003164115.GU6424@kduck.mit.edu>
References: <156989204879.24249.6112061930191061196.idtracker@ietfa.amsl.com> <80c31b5c-7b56-8c79-2188-a0c90771f0b7@eff.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <80c31b5c-7b56-8c79-2188-a0c90771f0b7@eff.org>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ksrc2VCGJmkgucS-GzJdgkhGiAU>
Subject: Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acme-tls-alpn-06: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2019 16:41:27 -0000
Hi Jacob, On Wed, Oct 02, 2019 at 10:52:55AM -0700, Jacob Hoffman-Andrews wrote: > On 9/30/19 6:07 PM, Benjamin Kaduk via Datatracker wrote: > > the provider. When the TLS SNI challenge was designed it was assumed > > that a user would only be able to respond to TLS traffic via SNI for > > domain names they controlled (i.e. if User A registered Host A and > > User B registered Host B with a service provider that User A wouldn't > > be able to respond to SNI traffic for Host B). This turns out not to > > be a security property provided by a number of large service > > providers. [...] > > > > Perhaps I'm misremembering, but I don't think this characterizes exactly > > the situation that led to the TLS SNI challenge being deemed > > irredeemable: the issues arise when User B *has not yet* registered Host > > B, and either the registration validation at the provider was lax or > > User A could connive to get into the default-SNI handler. The *attack* > > was possible even when User B has registered Host B, because the > > validation used a subdomain, as we discuss below, but here we are > > talking about the SNI routing, which needed to be for an unregistered > > (or not-validly-registered) name. > Here's the original post for reference: > https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/. > > It actually doesn't matter whether User B has registered Host B, and it > has nothing to do with the default-SNI handler. That was a different > vulnerability, mainly in the "http-01" nee "simpleHttp" challenge: > https://github.com/ietf-wg-acme/acme/pull/7/files. > > Also, TLS-SNI-01 validation did not use a subdomain; it used a > constructed name ending in ".acme.invalid". > > The issue resulted from allowing someone to upload certificates to a > hosting provider for "foo.acme.invalid" without validating their control > of "foo.acme.invalid"'s DNS. It also happened to be the case that > someone could in certain circumstances upload certificates for "real" > domains they don't control, like "example.com", but that wasn't relevant > for ACME. Thanks for setting me straight. > Roland, since we've gotten similar feedback twice, it seems worthwhile > to update Appendix A to directly link Frans Rosen's excellent blog post, > and to specifically call out that this is different than the "default > VHost" issue that led ACME to mandate that the "http-01" challenge use > HTTP instead of HTTPS. That seems worthwhile. Thanks, Ben
- [Acme] Benjamin Kaduk's Yes on draft-ietf-acme-tl… Benjamin Kaduk via Datatracker
- Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acm… Jacob Hoffman-Andrews
- Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acm… Benjamin Kaduk
- Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acm… Salz, Rich