This is a followup on "ACME vulnerabilities in SimpleHTTP and DVSNI due to common webservers' default virtual host semantics", since I don't have that mail in my archive (was not subscribed to the list back then), I can't respond directly to that thread. (Stupid mailing lists.)
Could someone explain the exact vulnerability? Since those challenge payloads are bound to a specific domain, I don't see the problem. Additionally, I don't see why it's a problem with HTTPS, why is it mitigated by switching to HTTP? HTTP via port 80 has just the same semantics for default hosts as HTTPS via 443 has. Regards, Niklas
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
