I'm slightly concerned that this exact text allows the "Random Value" or "Request Token" to be in the path, as long as the entire RWC is not in the path.
Should it perhaps instead say that the Random Value or Request Token part of the RWC must not appear in the path? -Tim -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of J.C. Jones Sent: Monday, May 02, 2016 2:28 PM To: Gervase Markham Cc: [email protected] Subject: Re: [cabfpub] Pre-Ballot 169: Revised Validation Requirements All, One concern with mandating a prefix is that it would break the HTTP validation for the ACME protocol. After some discussions, I'd like to propose adding a new term "Required Website Content" and use that term in the method. Credit to Andrew Ayer for the proposed text (thanks!). The diff against Ballot-169 is available at GitHub [1], and can be made into a pull request (into Ballot-169 branch) if desired. New Term: **Required Website Content**: Either a Random Value or a Request Token, optionally concatenated with additional information as specified by the CA. Method Change (additions in +{ }+ brackets): ##### 3.2.2.4.6 Agreed-Upon Change to Website Confirming the Applicant's control over the requested FQDN by confirming the presence of +{Required Website Content}+ (contained in the content of a file or on a web page in the form of a meta tag) under the "/.well-known/pki-validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that can be validated over an Authorized Port. +{The entire Required Website Content MUST NOT appear in the path used to retrieve the file or web page.}+ 1) http://scanmail.trustwave.com/?c=4062&d=15yn16AuR_LXsSVpRkrsubRsDevOE_8__pvrBZZ2xg&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fcompare%2fBallot-169%2e%2e%2ejcjones%3aBallot-169%3fexpand%3d1 Cheers, J.C. On Mon, May 2, 2016 at 9:33 AM, Gervase Markham <[email protected]> wrote: > On 30/04/16 00:14, Peter Bowen wrote: >> I’ve found a possible vulnerability with 3.2.2.4.6. Agreed-Upon >> Change to Website. If the Random Value or Request Token is contained >> in the URI path, then certain websites will return it in the meta tag >> of the resulting page. > > Could we require that it appear in the returned data with a particular > prefix, such as "Response: "? > >> Returns 200 with a page containing: >> <meta property="og:title" >> content=".well-known/pki-validation/06ca919e1b1cf100e97fc2215c036a8c817f4443aa0afe5ca1a63db973a09e4b: >> Search Results from Example"> <meta property="og:url" >> content="http://scanmail.trustwave.com/?c=4062&d=15yn16AuR_LXsSVpRkrs >> ubRsDevOE_8__pPtA5V0nw&s=5&u=http%3a%2f%2fwww%2eexample%2ecom%2fsearc >> h%3fq%3d%2ewell-known%252Fpki-validation%252F06ca919e1b1cf100e97fc221 >> 5c036a8c817f4443aa0afe5ca1a63db973a09e4b %80 > > > Did you try exploiting this as a Cross-Site Scripting vulnerability? > :-) > > Gerv > > _______________________________________________ > Public mailing list > [email protected] > http://scanmail.trustwave.com/?c=4062&d=15yn16AuR_LXsSVpRkrsubRsDevOE_ > 8__sa5BJRwlw&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2 > fpublic _______________________________________________ Public mailing list [email protected] http://scanmail.trustwave.com/?c=4062&d=15yn16AuR_LXsSVpRkrsubRsDevOE_8__sa5BJRwlw&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
