[Acme] Alternative proposal for fixing TLS-SNI / revisiting HTTPS-01 authorization
"Gerd v. Egidy" <gerd.von.egidy@intra2net.com> Fri, 12 January 2018 16:20 UTC
Return-Path: <gerd.von.egidy@intra2net.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBCE212E8A2 for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 08:20:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95ISBk5xTlYk for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 08:20:44 -0800 (PST)
Received: from rs07.intra2net.com (rs07.intra2net.com [85.214.138.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C2E512420B for <acme@ietf.org>; Fri, 12 Jan 2018 08:20:43 -0800 (PST)
Received: from mail.m.i2n (unknown [172.17.128.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by rs07.intra2net.com (Postfix) with ESMTPS id 59397150013C for <acme@ietf.org>; Fri, 12 Jan 2018 17:20:41 +0100 (CET)
Received: from localhost (mail.m.i2n [127.0.0.1]) by localhost (Postfix) with ESMTP id 104F8574 for <acme@ietf.org>; Fri, 12 Jan 2018 17:20:41 +0100 (CET)
X-Virus-Scanned: by Intra2net Mail Security (AVE=8.3.48.112,VDF=8.14.37.110)
Received: from thunder.m.i2n (thunder.m.i2n [172.16.1.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: smtp-auth-user) by mail.m.i2n (Postfix) with ESMTPSA id 45FB6312 for <acme@ietf.org>; Fri, 12 Jan 2018 17:20:39 +0100 (CET)
From: "Gerd v. Egidy" <gerd.von.egidy@intra2net.com>
To: acme@ietf.org
Date: Fri, 12 Jan 2018 17:20:39 +0100
Message-ID: <1812883.r3FRolLa0t@thunder.m.i2n>
Organization: Intra2net AG
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/pTwO3liEYVS8j7d8WGvBxx41rG0>
Subject: [Acme] Alternative proposal for fixing TLS-SNI / revisiting HTTPS-01 authorization
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 16:22:23 -0000
Hi, I've seen the proposal of Jonathan Rudenberg in [1] to use ALPN to fix the recently discovered problems with the TLS-SNI challenge [2]. While I think the usage of ALPN will fix the problem at hand, requiring support for ALPN on the frontend web servers, accelerators and so on at big webhosters will put a burden on the developers and maintainers of these systems because ALPN is relatively new and the deployed software and libraries will not make it easy to use it for anything but HTTP/2. The same goes for developers of ACME clients. This may hinder adoption or may lead to incorrect or insecure implementations. As these insecure implementations have thwarted TLS-SNI-01/02, I think we should be especially sensitive about risks coming from this side. So I'd now like to revisit the discussion about using HTTP-01 over HTTPS in [3] as alternative to TLS-SNI or as complement to TLS-SNI-ALPN. The problem mentioned with running HTTP-01 over HTTPS was the default-vhost problem. But that could be avoided with checking the SAN like this: The client creates a self-signed certificate or uses a certificate signed by any CA as long as it carries the hostname he wants to challenge within the subject alternative names (SAN). The CA does the regular HTTP-01 request. But this request is via HTTPS and the CA sends the hostname via SNI. The CA does not do any validity or trust checks on the presented certificate except to check the hostname in the subject alternative names for authorization. I'd call this type of challenge "https-01" to let the client explicitly request this type of challenge in contrast to requesting "http-01" over http. Let's consider the shared hosting attack with this method: 1. The domains a.example.com and b.example.com are both hosted on the same shared hosting server 2. The shared hosting environment doesn't do any checking of the certificates their users install onto the shared webserver 3. While allowing the wrong certificate to be presented for a request, the shared hosting server still checks the HTTP Host-header and responds with data from the document root folder of the correct domain 4. The owner of b.example.com activates a certificate with the SAN a.example.com on the shared hosting server 5. He requests the CA to issue the https-01 challenge request 6. The CA is presented the certificate installed by b, but the document root of a.example.com does not contain the correct keyAuthorization, so the challenge fails The attack on TLS-SNI is possible, because the certificate contains everything needed to fulfil the challenge. https-01 has the additional check of the correct keyAuthorization in /.well-known/acme-challenge/{token}. Advantages of this method: - Implementing this scheme should not pose undue difficulties on client developers. - This protocol should also be easy to include in running infrastructure without disturbing regular requests while executing the challenge. As it sends the requested hostname via SNI, it works with shared hosting infrastructure. - As TLS-SNI-01/02 before, it is done completely via HTTPS on TCP port 443. So if HTTPS is the protocol you want to use the cert for, you wouldn't need access to an additional TCP port like HTTP-01 does. This may not be important for regular webhosting, but for a scenario where the certificate protects some software running on a host behind a router or firewall only allowing port 443 through. What do you think? Kind regards, Gerd PS: Funny thing is, in the course of that previous discussion, Ilari Liusvaara already predicted exactly the vulnerability that now has hit TLS-SNI-01/02 [4]. [1] https://mailarchive.ietf.org/arch/msg/acme/mrKOeRK1K6H_42Hxbt3A1XtLFJM [2] https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188/2 [3] https://mailarchive.ietf.org/arch/msg/acme/mKKWN44SO1yepCffKpiIMb5bqEs [4] https://mailarchive.ietf.org/arch/msg/acme/mSp709jDGw2bAEUI1Dq8E4iYpmw
- [Acme] Alternative proposal for fixing TLS-SNI / … Gerd v. Egidy
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara
- Re: [Acme] Alternative proposal for fixing TLS-SN… Matthew D. Hardeman
- Re: [Acme] Alternative proposal for fixing TLS-SN… Gerd v. Egidy
- Re: [Acme] Alternative proposal for fixing TLS-SN… Matthew D. Hardeman
- Re: [Acme] Alternative proposal for fixing TLS-SN… Matthew D. Hardeman
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara
- Re: [Acme] Alternative proposal for fixing TLS-SN… Matthew D. Hardeman
- Re: [Acme] Alternative proposal for fixing TLS-SN… Gerd v. Egidy
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara
- Re: [Acme] Alternative proposal for fixing TLS-SN… Gerd v. Egidy
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara
- Re: [Acme] Alternative proposal for fixing TLS-SN… Matthew D. Hardeman
- Re: [Acme] Alternative proposal for fixing TLS-SN… Ilari Liusvaara