[Acme] Guessable URLs and unprotected orders lists
Sophie Herold <sophie_herold@hemio.de> Thu, 11 January 2018 19:23 UTC
Return-Path: <sophie_herold@hemio.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B55B01270A0 for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 11:23:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hemio.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ImMmKuVsUYGt for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 11:23:28 -0800 (PST)
Received: from mail.hemio.de (mail.hemio.de [136.243.12.180]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F8931241F8 for <acme@ietf.org>; Thu, 11 Jan 2018 11:23:28 -0800 (PST)
Received: from user.client.invalid (localhost [136.243.12.180]) by mail.hemio.de (Postfix) with ESMTPSA id B86019B for <acme@ietf.org>; Thu, 11 Jan 2018 20:23:26 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hemio.de; s=20170414; t=1515698606; bh=UShCjGM59W3szfbzjrBV2PhUy5Y0l213XR0R3MyJi40=; h=From:Subject:To:Date:From; b=X9NMc2nOApmr/V2iOtmgJUsazetA1T8x7/5tC+CgjgBQf+46KZ/u9+60vJnJnumTo sWlGW9etuxIbD/WHab1WUjqNnlSqlr+BkvCcPO3G4/1vQR6G8K2Tw3FZ4NiOSTXyKT XOm/ge+Ci4vghHkAmp1U1/33mKMZdXNlWljm8I54kc1vHTTbpEDLFoTDSPyssLKHu3 NXm9vNsZNIacqVzu5rPDwJojF89MSV4Voja+ObVudE3Q1nR/0O/gUFSThHW0qjd5u5 d3ybP64z6JvcHFLE9Rtf+ujvawQ4ImCDwONYBdKIcmao71cZqN8j2H2zrjabhXmKXB huZHIyldKGUMw==
From: Sophie Herold <sophie_herold@hemio.de>
To: IETF ACME <acme@ietf.org>
Message-ID: <ddbad3c8-c525-f498-3428-4e53353ad99c@hemio.de>
Date: Thu, 11 Jan 2018 20:23:26 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/usaOr4Bnyma4jX1fjfE4Lftai8E>
Subject: [Acme] Guessable URLs and unprotected orders lists
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2018 19:23:30 -0000
Hi, challenge tokens "MUST have at least 128 bits of entropy", at the same time it seems trivial to guess order and authorization URLs like the ones used in the examples. It seems natural, that URLs MUST be generated with the same amount of entropy. But I couldn't find that in the draft. For account objects, GET request are not allowed: Servers SHOULD NOT respond to GET requests for account resources as these requests are not authenticated. This suggests that all non-expiring URLs should be protected in this way. At least for orders lists, this protection is missing. Best, Sophie
- [Acme] Guessable URLs and unprotected orders lists Sophie Herold
- Re: [Acme] Guessable URLs and unprotected orders … Ilari Liusvaara
- Re: [Acme] Guessable URLs and unprotected orders … Niklas Keller