[cabfpub] [cabfquest] DV Proposal - Website-change validation on port 443

Ryan Sleevi sleevi at google.com
Thu Apr 14 15:11:47 UTC 2016


Forwarding on Patrick's behalf, as this does sound like a bug with this
method (as already practiced by some CAs)
On Apr 14, 2016 2:15 AM, "Patrick Figel" <patfigel at gmail.com> wrote:

> Section 3.2.2.4.6 states that the presence of a Random Value or Request
> Token
> on a website can be confirmed via any Authorized Port, including 443
> (HTTPS).
>
> This introduces an interesting vulnerability in certain multi-tenant
> hosting
> environments. A detailed discussion can be found on the ACME mailing
> list[1].
> I'm quoting the relevant section of that discussion:
> > Apache (and I gather nginx too) have the subtle and non-intuitive
> > behaviour that if a default TLS/HTTPS virtual host is not configured
> > explicitly, one will be selected based on the ordering of vhosts in the
> > webserver configuration (in practice, this often amounts to alphabetical
> > ordering of files in a configuration directory).
> >
> >
> https://serverfault.com/questions/458106/apache2-default-vhost-in-alphabetical-order-or-override-with-default-vhost
> > https://serverfault.com/a/180956
> >
> > This creates a vulnerability for SimpleHTTP and DVSNI in any
> > multiple-tenant virtual hosting environment that failed to explicitly
> > select a default vhost [1].  The vulnerability allows one tenant
> > (typically one with the alphabetically lowest domain name -- a situation
> > that may be easy for an attacker to arrange) to obtain certificates for
> > other tenants.
>
> [1]:
> https://mailarchive.ietf.org/arch/msg/acme/B9vhPSMm9tcNoPrTE_LNhnt0d8U
>
> _______________________________________________
> Questions mailing list
> Questions at cabforum.org
> https://cabforum.org/mailman/listinfo/questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160414/d73c3460/attachment-0002.html>


More information about the Public mailing list