On 26/11/15 08:36, Eliot Lear wrote: > Yes. The real issue here is that the cert contains the hostname and not > the port.
So one could define a new always-critical certificate extension saying that the cert is only for use with some set of ports. (Or maybe someone's already defined it, I forget;-) That might enable automation in some situations that'd otherwise be tricky. If folks figured that'd be deployed by browsers, it'd be worth doing. It might be worth doing even if only some other kinds of application benefited, but the web (so just-443) would I guess be the most-used value. (Don't worry about whether that's in scope for acme, if it's a dumb idea it won't be done anywhere and if it's not we'll find a venue.) S. > And so running the test on on other than 443 would provide > for what amounts to a privilege escalation attack. > > On 11/26/15 4:18 AM, Phillip Hallam-Baker wrote: >> I am getting really nervous about allowing any port other than 443. >> >> I just did a scan of a very recent clean install of Windows and there >> are a *TON* of Web servers running for apps that didn't mention they >> had one. >> >> The thing is that if I am running a process on any sort of shared >> host, I can pretty easily spawn a server and start applying for certs >> for other domains. Not only can I get .well-known, I can have any host >> name I like. > > > > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
