IETF Logo Mail Archive

Re: [Acme] Threat model for claiming domains

Bernd Eckenfels <ecki@zusammenkunft.net> Tue, 23 December 2014 21:00 UTC

Return-Path: <ecki@zusammenkunft.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9501A6FBC for <acme@ietfa.amsl.com>; Tue, 23 Dec 2014 13:00:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8b9GsqOpuiY0 for <acme@ietfa.amsl.com>; Tue, 23 Dec 2014 13:00:29 -0800 (PST)
Received: from mail-qc0-f179.google.com (mail-qc0-f179.google.com [209.85.216.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96CFD1A6FB5 for <acme@ietf.org>; Tue, 23 Dec 2014 13:00:29 -0800 (PST)
Received: by mail-qc0-f179.google.com with SMTP id c9so5053866qcz.24 for <acme@ietf.org>; Tue, 23 Dec 2014 13:00:28 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-type:content-transfer-encoding; bh=W3bolu+qvTuf+I15/9FuiFvwk9qrWEXEMEIPLzGjH+0=; b=DH49k2VPmP3Duc3gfmma5DTmko9J2XvZ/UGORnHMzJKOuijYeoiF2WOsXJgAJIX9Dt VpYPKLkHcJ1u11jA+vNDo6TcCuFOoqkqG+uU2pz5UuOiV2iBWlIkW3pA0k0lJ2vh/CKd ZB2sogFhgkKT7/2YPvuUdaA+e6pVu8rj/uzz7qP+G5z+4mX0kkLNTbim7333zrSQtGsL 5zjHJnIBx5wfN87Ge+Ln+7geQsmMjEGYfM3AdboOU8XH40A5Kp/joWFxBGVaMi6FCZXe 0TKkQaCCen69CwUDAnYoReqxrHx50X98dqz18rgnoZU79k2gztknRmzOjdbJCcqLWK9r ZxtA==
X-Gm-Message-State: ALoCoQlmgHV/Qr/7L3C5vgniNz23U23EQwgbZmEXuATn5uHcsBOUVWeUtQsN7G9BPLgkaQgWANRU
X-Received: by 10.229.174.70 with SMTP id s6mr48717807qcz.7.1419368428848; Tue, 23 Dec 2014 13:00:28 -0800 (PST)
Received: from localhost (HSI-KBW-134-3-146-104.hsi14.kabel-badenwuerttemberg.de. [134.3.146.104]) by mx.google.com with ESMTPSA id k6sm19783228qaz.41.2014.12.23.13.00.28 for <acme@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Dec 2014 13:00:28 -0800 (PST)
Date: Tue, 23 Dec 2014 22:00:18 +0100
From: Bernd Eckenfels <ecki@zusammenkunft.net>
To: "acme@ietf.org" <acme@ietf.org>
Message-ID: <20141223220018.00001422.ecki@zusammenkunft.net>
In-Reply-To: <CAL02cgQsp2pAHVmvxvBk2i9hoJ0aCAGby_ZpMB5MuK104c1fgQ@mail.gmail.com>
References: <CAHOTMVJdf8mQ-8_-ocHpfUA+N9v-S5VsBWgOVp1aFwDaWp3d0Q@mail.gmail.com> <CAL02cgSvc1sO-iH3J_c4f=A2CspKwG686DaSUC1JKLD4GRy__w@mail.gmail.com> <5497F5BB.9030002@comodo.com> <CAL02cgSLtiN0Q-KEWZLcG_YjrW0gtdrwJHF9e6W_FdkHR92aig@mail.gmail.com> <54996033.2@comodo.com> <CAL02cgQsp2pAHVmvxvBk2i9hoJ0aCAGby_ZpMB5MuK104c1fgQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/zVBgiD6SYlO9M4c22V0FoFRT6Rs
Subject: Re: [Acme] Threat model for claiming domains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Dec 2014 21:00:32 -0000

Am Tue, 23 Dec 2014 15:50:05 -0500
schrieb Richard Barnes <rlb@ipv.sx>:

> > IIUC, you're suggesting that there's a risk that Dreamhost might
> > let you register a CNAME record for <md5>.dreamhosters.com that
> > points to <sha1>. comodoca.com.
> > A colleague just said to me: "most shared hosts (like Dreamhost)
> > designate that subdomain you request for webhosting and that it's
> > incredibly unlikely (read: near-impossible) to get them to change
> > their DNS for that to point anywhere other than their shared
> > hosting servers."
> >
> 
> I can confirm that this is the case with Dreamhost, having just tried
> the experiment.  Nonetheless, this seems like kind of a fragile
> assumption, given that there do exist some less-clueful hosting
> providers.

Each dyndns provider does exactly that, allowing you to register a
record with an user chosen name pointing to any IP. This is at least
true for A records, but I could imagine similiar serives (host
forwarding servicde) for CNAME.

So TXT is better in that case (however none of them should be used
without a second factor like whois-mail or to not issue certificates
for the domain name without the host prefix (or even worse wildcards)).

Gruss
Bernd

v2.23.0 | Report a Bug | By Email