On Tue, May 30, 2017 at 06:32:51PM +0300, Yaron Sheffer wrote: > > I'm not sure I understand why the section that describes HTTP > validation so specifically forbids using HTTPS. On the other hand, I > can think of use cases where I would want *only* HTTPS > authorization: > > - The server only supports HTTPS, and perhaps port 80 is blocked by > a firewall. This situation applies to many REST endpoints. > - I am migrating from a non-ACME to an ACME cert, and so the server > has a perfectly valid HTTPS cert. Or migrating from one ACME CA to a > different one. > - I would like to ensure (using CAA records) that my CA is not > subject to a DNS cache corruption attack - a threat that the ACME > Security Considerations specifically mention. > > I would suggest that we specify a HTTPS validation that's exactly > like http-01, except that it runs over authenticated HTTPS.
The issue is that many webservers just pick the first vhost they find as default vhost, and attacker might be able to make oneself the default vhost for HTTPS (HTTP is seemingly also subject to similar behavior, but it is controlled by different options). If attacker can get itself as default vhost, he can pass validation for any domain name that isn't explicitly configured (for HTTP or HTTPS, depending on what is used for valdiation). -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
