[removing Matt from the cc list] OK, I thought it was established that CloudFlare used the DNS method but if it's unknown, that's fine.
I agree that the magic-email-address method and the modify-your-website method are horrible. They are entirely too easy to compromise making it hard to reach a firm conclusion in all cases that the person requesting the cert should rightfully receive the cert. I think the WHOIS-based method is marginally better but is still susceptible to compromise by bad actors. So the DNS-based method does come out ahead on a list of weak authentication methods. Of course this method can be compromised if you hand over control to someone else (either knowingly or unknowingly). Or if the account you use to control your DNS entries is easily hacked. Or if a sufficiently motivated attacker engages in DNS cache poisoning. Of course all of these methods require that the CA has implemented the checks correctly on their side. Original Message From: Matt Palmer Sent: Tuesday, September 20, 2016 8:01 PM To: dev-security-policy@lists.mozilla.org Subject: Re: Cerificate Concern about Cloudflare's DNS [No need to Cc me; I read the list] On Tue, Sep 20, 2016 at 05:37:03PM -0500, Peter Kurrasch wrote: > From: Matt Palmer ...snip... > > I took Florian's comment to mean that the structure of what CloudFlare is > doing is essentially a proxy service that is able manipulate DNS entries > to obtain a certificate. In the case of CloudFlare, we understand their > business and thus presume that the action is OK. For anybody else, > though...??? > > Put another way: Just because you can manipulate DNS entries does not > necessarily mean you are the right person to receive a cert. Rather, it's > "I hope you are the right person". If Florian had a different > meaning, though, it would be good to get him to clarify that. There's no indication that Cloudflare used DNS, specifically, to prove control of any of the validated names in the certificate. All of the names were, at one time or another (and all bar one still is) resolving to a Cloudflare IP. It's unfortunate (though understandable) that Comodo weren't able or willing to disclose the validation method used, but since every name in the cert is, or was at some point, provided HTTP service by Cloudflare, it seems reasonable to believe that was the method of control validation used in this instance. Frankly, though, to my mind DNS is the *best* (or, if you prefer, *least worst*) way of demonstrating control of a name -- because that's where the name originates from. Blessed e-mail addresses and "can respond to HTTP" are far less compelling answers to the question, "does the applicant have effective control of the name(s) being validated?". Control over DNS allows you to subvert any other method of control validation. Thus, be careful who you grant control over your DNS records. End of story. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
