> That is still vulernable to default-vhost issues if: > > - The hoster does not explicitly reserve default vhost (I have seen that > kind of behavior with http:// too). > - The hoster lets customers upload arbitrary certificates.
I think you also need: - A user is able to trick the server into serving his document root as default vhost - The webserver serves the default tls vhost, even if the CA requested a specific vhost via SNI > Note that this is strictly stronger condition than the one for TLS-SNI > vulernability, which only required capability to upload arbitrary > certificates, but not to control default vhost. Yes, definitively. > (And there are countermeasures that can detect default vhosts). Could you explain in more detail? Will they still work in conjunction with TLS and SNI? Kind regards, Gerd _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
