Re: [Acme] ACME vulnerabilities in SimpleHTTP due to common webservers' default virtual host semantics
Peter Eckersley <pde@eff.org> Fri, 08 January 2016 18:23 UTC
Return-Path: <pde@mail2.eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D89E31B2AC2 for <acme@ietfa.amsl.com>; Fri, 8 Jan 2016 10:23:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.113
X-Spam-Level:
X-Spam-Status: No, score=-5.113 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5E625FQShr9E for <acme@ietfa.amsl.com>; Fri, 8 Jan 2016 10:23:30 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4666D1A8904 for <acme@ietf.org>; Fri, 8 Jan 2016 10:23:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=uZKYKGoiMIlH8JIw2n6hiUZIWFN4v1y/qjfdK7IpX9Y=; b=Z08jzkDAWTLfJTPpTqRJtAE41RCN9GWeVeu0v0bFzuwCqy0mNUz/EpWs68VarKIhdtQliuvdhSVnDsy75pMCnirIMICOuOgjG6SU3zxMoVqA7awukSubiEN3Aey6Csu9FAGY1RPyxPtmsmkjLy8W5tlt/6uxg/FbCdLCpcRjVdI=;
Received: ; Fri, 08 Jan 2016 10:23:25 -0800
Date: Fri, 08 Jan 2016 10:23:25 -0800
From: Peter Eckersley <pde@eff.org>
To: Peter Wu <peter@lekensteyn.nl>
Message-ID: <20160108182325.GM18430@eff.org>
References: <CANUQDCjc2pyD19pC+8F4dhommuaOtf=JpJWOYAh6He3RNK8+Xg@mail.gmail.com> <20160108172709.GA29864@al>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20160108172709.GA29864@al>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/ytqVMJEqlf455aSKfD7l498vhgk>
Cc: acme@ietf.org, Niklas Keller <me@kelunik.com>
Subject: Re: [Acme] ACME vulnerabilities in SimpleHTTP due to common webservers' default virtual host semantics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2016 18:23:36 -0000
On Fri, Jan 08, 2016 at 06:27:09PM +0100, Peter Wu wrote: > Peter (Eckersley), you reported this concern with the premise that it is > a common configuration mistake that impacts many hosting providers. Do > you have scans backing up that concern? Websites that are managed by a > single entity (i.e. not shared hosting providers) with this > configuration "mistake' are not a problem. I haven't spent the time to conduct a thorough scan to get numbers, but this type of configuration is very easy and natural to create, and manually examining the https:// responses of a handful of Alexa top 100K domains (starting in the middle of the list, not the top) showed a tremendous diversity of strange behaviours for domains where https:// has not been officially deployed. If someone wants to do a scan to try to characterise all of those behaviours, go for it! > > > The restriction in the specification has an unfortunate consequence: > sites which are only accessible over port 443/HTTPS (because other ports > are blocked / not forwarded in a NAT network) can no longer be > validated. That's not the case. You can use the TLS-SNI-01 challenge type on those systems. The current language describing it in the spec is terrible and needs to be rewritten, but it's quite simple: add an extra :443 vhost entry to your server config, serving a self-signed cert created to pass the challenge. -- Peter Eckersley pde@eff.org Chief Computer Scientist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Wu
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Niklas Keller
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Eckersley
- [Acme] ACME vulnerabilities in SimpleHTTP due to … Niklas Keller
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Niklas Keller
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Wu
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP due… Jakub Warmuz