On 11/01/2017 16:55, Paul Wouters wrote:
> Are you saying that for an unknown amount of time (years?) someone 
> could have faked the domain validation check, and once it was 
> publicly pointed out so everyone could do this, it took one
> registrar 10 months to fix, during which 8800 domains could have been
> falsely obtained and been used in targetted attacks? Have other
> registrars made any statement on whether they were or were not
> vulnerable to this attack?

The "Agreed-Upon Website Change" domain validation method was not
something that the Baseline Requirements specified in any way prior to
Ballot 169. The BRs basically had a section saying "if you want to use
any other method that you think is as good as the ones specified here,
go for it". (Actually, that section still exists IIRC, thanks to the
patent-related weirdness currently going on in the CA/B Forum.)

There wasn't really a standard way to do this, so some CAs (like
GoDaddy) might have implemented something resembling the ACME http-01
challenge type, where part of the request URL is a random string (and
which suffers from this vulnerability if you only look for that random
string in the response body), while others did something like WoSign,
where the random string has to be served at a static URL (something like
example.com/example.com.txt) or where you have to add a meta tag to your
index page. These other methods would not have suffered from this
particular vulnerability.

It's hard to say how many CAs are affected by this. It's not something
the CA needs to document in their CP(S), so the only way to answer that
question would be to test the domain validation of every
publicly-trusted CA, or ask them and hope the answer is accurate. CAs do
need to keep audit logs for certificate request and the corresponding
domain validations, so perhaps this is something that Mozilla could add
as a question in their next CA communication?

I'd agree that any CA keeping track of the CA/B Forum mailing lists
should've caught this a long time ago. It was brought up at least twice
last year.

> Is there a way to find out if this has actually happened for any 
> domain? I would expect this would show up as "validated"
> certificates that were logged in CT but that were never deployed on
> the real public TLS servers. Is anyone monitoring that? I assume that
> for the "big players" who do self-monitoring, were not affected?
> *crosses fingers*

You could probably make an educated guess for some of the domains (once
they're published) by using censys to see which of those certificates
were observed in the wild during one of their internet scans. It would
not give you the full picture since any number of those certificates
could've been deployed on non-public servers, or on TLS servers that
censys does not scan for (e.g. SMTP/IMAP/... - not sure if they scan
those). That's why a global monitor for something like this would
probably not work.

I'd imagine the big players would've been caught by their manual review
process flagging for high-risk domains.
dev-security-policy mailing list

Reply via email to