On 11/01/2017 16:55, Paul Wouters wrote: > Are you saying that for an unknown amount of time (years?) someone > could have faked the domain validation check, and once it was > publicly pointed out so everyone could do this, it took one > registrar 10 months to fix, during which 8800 domains could have been > falsely obtained and been used in targetted attacks? Have other > registrars made any statement on whether they were or were not > vulnerable to this attack?
The "Agreed-Upon Website Change" domain validation method was not something that the Baseline Requirements specified in any way prior to Ballot 169. The BRs basically had a section saying "if you want to use any other method that you think is as good as the ones specified here, go for it". (Actually, that section still exists IIRC, thanks to the patent-related weirdness currently going on in the CA/B Forum.) There wasn't really a standard way to do this, so some CAs (like GoDaddy) might have implemented something resembling the ACME http-01 challenge type, where part of the request URL is a random string (and which suffers from this vulnerability if you only look for that random string in the response body), while others did something like WoSign, where the random string has to be served at a static URL (something like example.com/example.com.txt) or where you have to add a meta tag to your index page. These other methods would not have suffered from this particular vulnerability. It's hard to say how many CAs are affected by this. It's not something the CA needs to document in their CP(S), so the only way to answer that question would be to test the domain validation of every publicly-trusted CA, or ask them and hope the answer is accurate. CAs do need to keep audit logs for certificate request and the corresponding domain validations, so perhaps this is something that Mozilla could add as a question in their next CA communication? I'd agree that any CA keeping track of the CA/B Forum mailing lists should've caught this a long time ago. It was brought up at least twice last year. > Is there a way to find out if this has actually happened for any > domain? I would expect this would show up as "validated" > certificates that were logged in CT but that were never deployed on > the real public TLS servers. Is anyone monitoring that? I assume that > for the "big players" who do self-monitoring, were not affected? > *crosses fingers* You could probably make an educated guess for some of the domains (once they're published) by using censys to see which of those certificates were observed in the wild during one of their internet scans. It would not give you the full picture since any number of those certificates could've been deployed on non-public servers, or on TLS servers that censys does not scan for (e.g. SMTP/IMAP/... - not sure if they scan those). That's why a global monitor for something like this would probably not work. I'd imagine the big players would've been caught by their manual review process flagging for high-risk domains. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
