On 11/01/2017 19:06, Nick Lamb wrote: > For those who haven't (unlike Patrick) sat down and read the ACME > specification, ACME http-01 won't get tripped here because the > checked content of the URL is very much not the random string (it's a > JWS signature over a data structure containing that random string, > thereby proving it was made by whoever the ACME server is talking > to). But yes, doing something that _looks_ superficially like the > ACME style of validation without such subtlety will trip you up.
Thanks, that's a better way of phrasing what I was trying to say. ;-) > In this very particular case, where the affected validation was > specific to web servers, it seems extremely likely that almost all of > the legitimate certificates (which may be, and we hope is, all of > them) were subsequently put into use on a web server. > > Why go to the bother of setting up a web server on say, > smtp.example.com, only to get yourself a certificate, and then turn > off the web server and use the certificate for SMTP? It's not > impossible, but it would be very much the exception. I don't know this specifically for GoDaddy, but many commercial CAs I've dealt with in the past typically only validate the "registered domain" portion (e.g. example.com) of the FQDN and then give you certificates for any subdomain (e.g. smtp.example.com) under that domain. I think the approach used by Let's Encrypt, where each FQDN has to be validated individually, is not all that common otherwise. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
