On Fri, Jan 12, 2018 at 06:21:00PM +0100, Gerd v. Egidy wrote: > > > I think you also need: > > > > > > - A user is able to trick the server into serving his document root as > > > default vhost > > > > > > - The webserver serves the default tls vhost, even if the CA requested a > > > specific vhost via SNI > > > > Well, I think both are impiled by default vhost. > > The first yes. > > But the second I'm not so sure. > > AFAIK, with Apache httpd you'll get the tls default vhost just for requests > without SNI. > > Of course not everyone is using Apache, but I think it makes it an additional > condition for the attack to work.
Actually, reading the detectify post, it seems that at least one hoster has the following problem: If the legit holder of domain has HTTP but not HTTPS enabled, one can take over the HTTPS version, including serving one's own content on it. And thanks to HSTS, this can then used to take over the HTTP version too. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
