Re: exposing certificate information (current + upcoming)
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 10 May 2019 13:13 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CF491201A2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2019 06:13:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.9
X-Spam-Level:
X-Spam-Status: No, score=-2.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZA8Oh7dIhKW for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2019 06:13:22 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 873A2120021 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 10 May 2019 06:13:22 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1hP5Ib-0003um-TQ for ietf-http-wg-dist@listhub.w3.org; Fri, 10 May 2019 13:10:53 +0000
Resent-Date: Fri, 10 May 2019 13:10:53 +0000
Resent-Message-Id: <E1hP5Ib-0003um-TQ@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <ilariliusvaara@welho.com>) id 1hP5IZ-0003tP-9a for ietf-http-wg@listhub.w3.org; Fri, 10 May 2019 13:10:51 +0000
Received: from welho-filter1.welho.com ([83.102.41.23]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <ilariliusvaara@welho.com>) id 1hP5IX-0003WO-H9 for ietf-http-wg@w3.org; Fri, 10 May 2019 13:10:51 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id DEB661572B for <ietf-http-wg@w3.org>; Fri, 10 May 2019 16:10:23 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id rlqL0lqwB4Nh for <ietf-http-wg@w3.org>; Fri, 10 May 2019 16:10:23 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 9E52472 for <ietf-http-wg@w3.org>; Fri, 10 May 2019 16:10:22 +0300 (EEST)
Date: Fri, 10 May 2019 16:10:22 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20190510131022.GA891203@LK-Perkele-VII>
References: <BA35C55E-E096-49DA-BBC5-D5A34756FC67@greenbytes.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <BA35C55E-E096-49DA-BBC5-D5A34756FC67@greenbytes.de>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Received-SPF: none client-ip=83.102.41.23; envelope-from=ilariliusvaara@welho.com; helo=welho-filter1.welho.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=1.062, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1hP5IX-0003WO-H9 29a782744093b54a8ef79cfe4f674339
X-Original-To: ietf-http-wg@w3.org
Subject: Re: exposing certificate information (current + upcoming)
Archived-At: <https://www.w3.org/mid/20190510131022.GA891203@LK-Perkele-VII>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36629
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Fri, May 10, 2019 at 12:46:53PM +0200, Stefan Eissing wrote: > Christophe Brocas (@cbrocas), organizer of Pass-the-Salt security conference, tweeted > about checking HTTP server certificates against CT logs to detect very early if someone > successfully highjacked one of your domains. > > A renewed certificate is often not immediately used on a server but activated on the > next restart which can be several hours away. To check if a certificate mentioned in a > CT log, one would need to obtain information about upcoming certificates as well. If the certificate managment is automated, the time window between obtaining the certificate from CA and deploying it to production is typically much faster than few hours, typically few seconds to few tens of seconds, altough some setups deploy in sub-second timescales and some may take hundreds of seconds. This is because the clients typically reload the webserver after any run which changed the certificates (the craziest setups hot-reload from inotify, or something similar). Regarding using CT for highjack detection, there is proposed mechanisms for CT "gossip" where clients send recently seen certificates or pointers thereof to the webserver, which can then alert admins on reports of unknown publically trusted certificates. I do not think there are any concrete specifications about that however (only some drafts). -Ilari
- exposing certificate information (current + upcom… Stefan Eissing
- Re: exposing certificate information (current + u… Ilari Liusvaara
- Re: exposing certificate information (current + u… Stefan Eissing
- Re: exposing certificate information (current + u… Ryan Sleevi
- Re: exposing certificate information (current + u… Stefan Eissing
- Re: exposing certificate information (current + u… Stefan Eissing
- Re: exposing certificate information (current + u… Martin J. Dürst