Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acme-tls-alpn-06: (with COMMENT)
Jacob Hoffman-Andrews <jsha@eff.org> Wed, 02 October 2019 17:52 UTC
Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D51D6120106; Wed, 2 Oct 2019 10:52:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQa43hOGxINt; Wed, 2 Oct 2019 10:52:56 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C02E21200FE; Wed, 2 Oct 2019 10:52:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version: Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=OZ0dlzzyiiBHqsN2y58ZLM2cXs0C2zqvW7UQ9i4Rwyk=; b=cnfMPJXCsb6eulVOAnnHxtIf1U vl4goqOxjWEc5qVh15K5/PAnj240sd+FwLTc6p1yIVPnhHBxrEydCycSXg6GA0vpKjck4mjxrDN2/ 4DWg4xmKhieIWOHgduNMDl7AHR0n4u/+CLaHFL52EreAErH44NWjIeoPQDPqaAuUGL50=;
Received: ; Wed, 02 Oct 2019 10:52:55 -0700
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
Cc: cpu@letsencrypt.org, acme@ietf.org, draft-ietf-acme-tls-alpn@ietf.org, acme-chairs@ietf.org
References: <156989204879.24249.6112061930191061196.idtracker@ietfa.amsl.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <80c31b5c-7b56-8c79-2188-a0c90771f0b7@eff.org>
Date: Wed, 02 Oct 2019 10:52:55 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <156989204879.24249.6112061930191061196.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/tHyh8aX8RgrxReN3atTWCqEkEkY>
Subject: Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acme-tls-alpn-06: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Oct 2019 17:52:59 -0000
On 9/30/19 6:07 PM, Benjamin Kaduk via Datatracker wrote: > the provider. When the TLS SNI challenge was designed it was assumed > that a user would only be able to respond to TLS traffic via SNI for > domain names they controlled (i.e. if User A registered Host A and > User B registered Host B with a service provider that User A wouldn't > be able to respond to SNI traffic for Host B). This turns out not to > be a security property provided by a number of large service > providers. [...] > > Perhaps I'm misremembering, but I don't think this characterizes exactly > the situation that led to the TLS SNI challenge being deemed > irredeemable: the issues arise when User B *has not yet* registered Host > B, and either the registration validation at the provider was lax or > User A could connive to get into the default-SNI handler. The *attack* > was possible even when User B has registered Host B, because the > validation used a subdomain, as we discuss below, but here we are > talking about the SNI routing, which needed to be for an unregistered > (or not-validly-registered) name. Here's the original post for reference: https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/. It actually doesn't matter whether User B has registered Host B, and it has nothing to do with the default-SNI handler. That was a different vulnerability, mainly in the "http-01" nee "simpleHttp" challenge: https://github.com/ietf-wg-acme/acme/pull/7/files. Also, TLS-SNI-01 validation did not use a subdomain; it used a constructed name ending in ".acme.invalid". The issue resulted from allowing someone to upload certificates to a hosting provider for "foo.acme.invalid" without validating their control of "foo.acme.invalid"'s DNS. It also happened to be the case that someone could in certain circumstances upload certificates for "real" domains they don't control, like "example.com", but that wasn't relevant for ACME. Roland, since we've gotten similar feedback twice, it seems worthwhile to update Appendix A to directly link Frans Rosen's excellent blog post, and to specifically call out that this is different than the "default VHost" issue that led ACME to mandate that the "http-01" challenge use HTTP instead of HTTPS.
- [Acme] Benjamin Kaduk's Yes on draft-ietf-acme-tl… Benjamin Kaduk via Datatracker
- Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acm… Jacob Hoffman-Andrews
- Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acm… Benjamin Kaduk
- Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acm… Salz, Rich