On Thu, Sep 24, 2015 at 10:03:03AM -0400, Michael Richardson wrote:
>
> {Tourist warning here}
>
> Peter Eckersley <[email protected]> wrote:
> >> > I am OK with dropping the TLS option for "simpleHttp" validations.
> >> > (We can always make SimpleHTTPS later.)
> >>
> >> One annoying implication with dropping the TLS option is that it makes
> >> it difficult to complete the SimpleHTTP challenge when your HTTP site
> >> redirects to HTTPS, as best practice dictates. You'd have to
> >> special-case an exception to allow the challenge response to be served
> >> over HTTP (this is annoying to do in Apache).
> >>
> >> This isn't a problem if the ACME server follows redirects when
> >> validating the challenge. The draft doesn't currently require or
> >> forbid following redirects, so implementations will probably end up
> >> doing whatever their HTTP client library does by default.
>
> > Boulder does indeed follow redirects, so that's our current plan.
>
> So, if the verifier follows an HTTP redirect to an HTTPS site (does it even
> have to be same name?), which has a (at that point) bogus certificate,
> and Boulder can cope with that, when why bother having the SimpleHTTP
> check method at all?
>
> Why not just always use SimpleHTTPS?
Because it is common for webservers to be configured with HTTPS vhosts
that are a strict subset of the HTTP ones, plus a misallocted
default/wildcard HTTPS vhost that is controlled by the
tenant/hypothetical attacker.
Those vulnerable webservers are unlikely to serve a redirect from HTTP
to HTTPS for the domains that lack a correct HTTPS vhost, however.
--
Peter Eckersley [email protected]
Chief Computer Scientist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
