On 12/01/18 14:52, Doug Beattie wrote: > For shared IP address environments, it may be possible to receive a > certificate for a domain you don’t actually control, but a number of > things need to happen in order for this to be successful. What can > go wrong?
Doug: what do you see as the exact differences between your setup and the TLS-SNI-01 configuration? It seems to me that both are vulnerable in the same circumstances (i.e., hosting provider has many users hosted on the same IP address, and users have the ability to upload certificates for arbitrary names without proving domain control). Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
