On 26/11/15 08:36, Eliot Lear wrote:
> Yes. The real issue here is that the cert contains the hostname and not
> the port.
So one could define a new always-critical certificate extension
saying that the cert is only for use with some set of ports. (Or
maybe someone's already defined it, I
> On 26 Nov 2015, at 1:00 PM, Stephen Farrell wrote:
>
>
>
> On 26/11/15 08:36, Eliot Lear wrote:
>> Yes. The real issue here is that the cert contains the hostname and not
>> the port.
>
> So one could define a new always-critical certificate extension
> saying
On 26/11/15 11:27, Yoav Nir wrote:
>
>> On 26 Nov 2015, at 1:00 PM, Stephen Farrell
>> wrote:
>>
>>
>>
>> On 26/11/15 08:36, Eliot Lear wrote:
>>> Yes. The real issue here is that the cert contains the hostname
>>> and not the port.
>>
>> So one could define a
The argument for a scan is not that it will be comprehensive.
There's a huge amount of software out there that has started using
various ports in standard and non-standard ways; the more software
happens to use a given port, the more risk of remote attacks on ACME DV
via quirks or bugs in that
I am getting really nervous about allowing any port other than 443.
I just did a scan of a very recent clean install of Windows and there are a
*TON* of Web servers running for apps that didn't mention they had one.
The thing is that if I am running a process on any sort of shared host, I
can
It's an issue with shared hosting where users have shell access but no root
access.
2015-11-24 17:49 GMT+01:00 Eliot Lear :
> Yes, thanks, Yoav. Apologies to Randy and Kathleen for my terseness.
>
> Eliot
>
>
> On 11/24/15 5:46 PM, Yoav Nir wrote:
> > I think Eliot meant RFC
I think Eliot meant RFC 5785 /.well-known/ locations, rather than well known
ports
Yoav
> On 24 Nov 2015, at 6:37 PM, Kathleen Moriarty
> wrote:
>
> I agree with Eliot, I don't think a scan is needed to make a decision
> here. Having managed several
Yes, thanks, Yoav. Apologies to Randy and Kathleen for my terseness.
Eliot
On 11/24/15 5:46 PM, Yoav Nir wrote:
> I think Eliot meant RFC 5785 /.well-known/ locations, rather than well known
> ports
>
> Yoav
>
>> On 24 Nov 2015, at 6:37 PM, Kathleen Moriarty
>>
On Mon, Nov 23, 2015 at 09:52:07AM -0800, Martin Thomson wrote:
> Could we ask IANA for a reserved system port (<1024)? Then it would
> be possible for an ACME client to operate without disturbing running
> services.
I wrote this on the github issue, but should have posted it here:
It seems
> Isn't this precisely what .well-known was meant to address?
fun small research project. what percentage of well-known ports can
you connect to from the outside to a machine inside cisco? hell, to
what percentage of well-known ports outside cisco can you reach from
inside?
well-known does not
On Mon, Nov 23, 2015 at 12:52 PM, Martin Thomson
wrote:
> The problem is that it the ACME server needs some sort of assurance
> that the client controls the server. Showing control over the server
> on port 443 is probably the best signal possible.
>
> Showing control
On 23 November 2015 at 10:09, Douglas Calvert
wrote:
> How does showing control over port 443 convey more information than showing
> control over port 22, 80, 487, 1023?
Basic information theory:
p(control over 443) < p(control over any port under 1024) <
which is easier, going through kink on 443 or getting the IT security
team to punch a hole for ?
randy
___
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
+1 on both Rich's request and the IANA suggestion.
I think something that would help for this purpose would be an
Internet-wide zmap scan of some plausible ports, to ensure there isn't
anything in widespread use on them that could be a relevant attack
surface for the challenge protocols.
Anyone
>> which is easier, going through kink on 443 or getting the IT security
>> team to punch a hole for ?
> Would it help if you could choose the option that sucked least for
> your particular situation? That was what I was thinking.
yes, it would help
i admit to thinking of it as turning off a
Allowing the Web server to continue running on 443 while validation takes place
on another port seems like a straightforward resolution to the issue that is
raised.
Russ
On Nov 21, 2015, at 1:03 PM, Salz, Rich wrote:
> Please see here for the background:
>
16 matches
Mail list logo