Re: [Acme] HTTP redirects in validation [Was: Re: FW: Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)]
Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 30 August 2018 18:49 UTC
Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6D37130EF4 for <acme@ietfa.amsl.com>; Thu, 30 Aug 2018 11:49:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hozyK_mPVvuQ for <acme@ietfa.amsl.com>; Thu, 30 Aug 2018 11:49:49 -0700 (PDT)
Received: from pdx1-sub0-mail-a5.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 492A6130DDE for <acme@ietf.org>; Thu, 30 Aug 2018 11:49:49 -0700 (PDT)
Received: from pdx1-sub0-mail-a5.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a5.g.dreamhost.com (Postfix) with ESMTP id 92B4480305 for <acme@ietf.org>; Thu, 30 Aug 2018 11:49:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=NO6nofyf9LeYszVsVd8o6jOEXko=; b= h4laTweOYAPNn7p9YqDOONCe8mUoYYJeWjw5w+MbQaPieu1dIXesjbeOxNF9rzUp NiD+WVrLVkb3fDK1RpKksnRHVQ1cNFSyMvOu93J5h7TQWULOVCvVmRAusfaI0+a1 NYpMLADrYJCtpCpVR9UiigIitL0Wl88nZyfy7mm6PyI=
Received: from mail-it0-f47.google.com (mail-it0-f47.google.com [209.85.214.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by pdx1-sub0-mail-a5.g.dreamhost.com (Postfix) with ESMTPSA id 7FB98802FF for <acme@ietf.org>; Thu, 30 Aug 2018 11:49:47 -0700 (PDT)
Received: by mail-it0-f47.google.com with SMTP id u13-v6so4084986iti.1 for <acme@ietf.org>; Thu, 30 Aug 2018 11:49:47 -0700 (PDT)
X-Gm-Message-State: APzg51DjjOfACyRoapeh33KTcznPD0r51grIqYXUwFQpXtrxvS21mkB1 16XX/xWZUN1sPe+GDx2z8lqdV2gQl/Wxkwlihjk=
X-Google-Smtp-Source: ANB0VdZ1ZkW5vpwf3N+may1/qefMYUd7h3bt+OJfNRUl7tqiDiY4Yo2Fxboq84VuVkjtCaBPyVb4daXHZb51tkiIXz0=
X-Received: by 2002:a24:328d:: with SMTP id j135-v6mr3115165ita.5.1535654986920; Thu, 30 Aug 2018 11:49:46 -0700 (PDT)
MIME-Version: 1.0
References: <153554127552.14913.5752261334380280625.idtracker@ietfa.amsl.com> <CAL02cgRZsexAbNhwb08ROxTSYLqpJEJv2D9-s-sdkZx6SumPOg@mail.gmail.com> <bcff02b8-7dc9-9606-1e73-2b1ba3bb76e1@isode.com> <CAKnbcLikPk7vxrJdRT1bAqbOkBy7kLwyA5ToFKYFJfiVNCS7xg@mail.gmail.com> <5EDC099D-6070-4DC6-9561-C08BB1483041@akamai.com> <CAL02cgRG-TGziXB9ro116dVR0iMN8CrRuzA4PRTk2jEPj7nrzw@mail.gmail.com> <BN6PR14MB110631971E10452BF7EC6F0F83080@BN6PR14MB1106.namprd14.prod.outlook.com> <BN6PR14MB11060308213B4B64FFECB52183080@BN6PR14MB1106.namprd14.prod.outlook.com> <20180830182800.GA10659@LK-Perkele-VII>
In-Reply-To: <20180830182800.GA10659@LK-Perkele-VII>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 30 Aug 2018 14:49:35 -0400
X-Gmail-Original-Message-ID: <CAErg=HFj9pdHbat4TdSqrannakF2aW3GLZY9nfaLO7yaYuMpVg@mail.gmail.com>
Message-ID: <CAErg=HFj9pdHbat4TdSqrannakF2aW3GLZY9nfaLO7yaYuMpVg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Tim Hollebeek <tim.hollebeek@digicert.com>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fe3e420574ab8943"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/mDmMEQ6bj7IXcrABO2nks6n429M>
Subject: Re: [Acme] HTTP redirects in validation [Was: Re: FW: Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)]
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Aug 2018 18:49:51 -0000
On Thu, Aug 30, 2018 at 2:28 PM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > > The main reason to allow redirects within a domain is if there is a > > unilateral redirect from example.com to www.example.com > > <http://www.example.com> , which is of course incredibly common. It > > seems one should be able to validate example.com using that redirect. > > I have no data on potentially exploitable redirects on-domain versus > off-domain, but I can say that even some http://foo.example to > https://foo.example redirects are exploitable (especially with > substring matching, but sometimes even without that). > > The following two types of redirects seem practicularly troublesome: > > - Redirect is from above validation directory (usually via global > redirect of any resource on name). http:// to https:// redirects > and redirects from example.com to www.example.com are usually of > this kind. In contrast, redirects specific to validation directory > are very probably secure. > - Redirects that are not injective (multiple source URLs map to the > same target URL.). These are invariably from above validation > directory redirects. > > Then I saw somebody argue that redirecting .well-known globally > is misconfiguration. And indeed, that place is grab-bag of different > things, some of which prohibit redirects, some which leave things > implicit and some that explicitly follow redirects. > I'm not sure why either of these are particularly troublesome, given the requirements, and giving the use of either the Random Value (which must be random) or it being bound to the request. Is the issue here one of redirects, or the (as practiced by CAs) distinction between "the presence of" versus "the contents shall be". That is, if the CA/Browser Forum required that the contents be explicit (and/or with a mime-type requirement), does that resolve the matter with redirects? (I ask, because that's one of the already identified structural weaknesses of 3.2.2.4.6)
- [Acme] Alexey Melnikov's No Objection on draft-ie… Alexey Melnikov
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Alexey Melnikov
- Re: [Acme] Alexey Melnikov's No Objection on draf… Daniel McCarney
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Salz, Rich
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Benjamin Kaduk
- Re: [Acme] Alexey Melnikov's No Objection on draf… Alan Doherty
- Re: [Acme] Alexey Melnikov's No Objection on draf… Manger, James
- Re: [Acme] Alexey Melnikov's No Objection on draf… Tim Hollebeek
- [Acme] FW: Alexey Melnikov's No Objection on draf… Tim Hollebeek
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Corey Bonnell
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- [Acme] HTTP redirects in validation [Was: Re: FW:… Ilari Liusvaara
- Re: [Acme] HTTP redirects in validation [Was: Re:… Ryan Sleevi