[removing Matt from the cc list]

OK, I thought it was established that CloudFlare used the DNS method but if 
it's unknown, that's fine.

I agree that the magic-email-address method and the modify-your-website method 
are horrible.‎ They are entirely too easy to compromise making it hard to reach 
a firm conclusion in all cases that the person requesting the cert should 
rightfully receive the cert. I think the WHOIS-based method is marginally 
better but is still susceptible to compromise by bad actors.

So the DNS-based method does come out ahead on a list of weak authentication 
methods. Of course this method can be compromised if you hand over control to 
someone else (either knowingly or unknowingly). Or if the account you use to 
control your DNS entries is easily hacked. Or if a sufficiently motivated 
attacker engages in DNS cache poisoning.

Of course all of these methods require that the CA has implemented the checks 
correctly on their side.

  Original Message  
From: Matt Palmer
Sent: Tuesday, September 20, 2016 8:01 PM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Cerificate Concern about Cloudflare's DNS

[No need to Cc me; I read the list]

On Tue, Sep 20, 2016 at 05:37:03PM -0500, Peter Kurrasch wrote:
> From: Matt Palmer
> I took Florian's comment to mean that the structure of what CloudFlare is
> doing is essentially a proxy service that is able manipulate DNS entries
> to obtain a certificate. In the case of CloudFlare, we understand their
> business and thus presume that the action is OK. For anybody else,
> though...???
> Put another way: Just because you can manipulate DNS entries does not
> necessarily mean you are the right person to receive a cert. Rather, it's
> "I hope you are the right person".‎ If Florian had a different
> meaning, though, it would be good to get him to clarify that.

There's no indication that Cloudflare used DNS, specifically, to prove
control of any of the validated names in the certificate. All of the names
were, at one time or another (and all bar one still is) resolving to a
Cloudflare IP. It's unfortunate (though understandable) that Comodo weren't
able or willing to disclose the validation method used, but since every name
in the cert is, or was at some point, provided HTTP service by Cloudflare,
it seems reasonable to believe that was the method of control validation
used in this instance.

Frankly, though, to my mind DNS is the *best* (or, if you prefer, *least
worst*) way of demonstrating control of a name -- because that's where the
name originates from. Blessed e-mail addresses and "can respond to HTTP"
are far less compelling answers to the question, "does the applicant have
effective control of the name(s) being validated?". Control over DNS
allows you to subvert any other method of control validation.

Thus, be careful who you grant control over your DNS records. End of story.

- Matt

dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to