Hi,
i have some security concerns with both methods:
- http-01 here the server only show that he know the public key of the
client. Token + Hash(publicUserKey)
At least the server have the information for which domain he is proving.
- tls-sni-01 here the only task is that the server have to reply with
and certificate with specified subjectAlternativeName
..acme.invalid
The simpleHTTP not only check that the server handle the domain, it also
checked that the server knows the privateUserKey so why not using
simpleHTTP via HTTP if there are HTTPS-Concerns about stupid admin with
default Servers?
Option 1)
For tls-sni we could request ...acme.invalid
And the server response should contain two alternative names.
...acme.invalid
encoded(SHA1withRSA(...acme.invalid , userKey)).SHA1withRSA.acme.invalid
So he proves that he have ht private user key and he know for which
domain he is proving:
Option 2)
signature = HEX(SHA1withRSA(fqdn|'.'|token, userKey))
http := http:///.well-known/acme-challenge//
Reply: text/plain ,
tls-sni: ...acme.invalid
Reply: SubjectAlternativeName: ...acme.invalid
So in this case the server does not require to have access to the
private user key.
He only need access to the public key but than can verify that the
request was issued by some person who have the users private key. That
mean we have an two way identification.
---
Example for tls-sni-01 problem:
I will explain it for tls-sni-01.
1) You have an HTTPS Server that will response to any SNI with an
Matching Selfsigned Certificate.
- This is used for debuging or for example for some types of fw devices
that use non official CA's.
This Device also Host the domain www.interesting-bank.com
<http://www.interesting-bank.com>
2) Now i as an attacker place an request for "www.interesting-bank.com"
and select "tls-sni-01" challenge.
LE will now connect to the ip for "www.interesting-bank.com" and say
hostnameInfo ..acme.invalid
3) The returned certificate will contain ..acme.invalid (Challenge OK)
4) Know i can request Cert for "www.interesting-bank.com" and was never
in hold or had access to the server www.interesting-bank.com
<http://www.interesting-bank.com>.
---
More about this problem and discussions can be found under
https://community.letsencrypt.org/t/getting-bad-vibes/3424/72
Gruß Thomas
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
