RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

...@sleevi.com] Sent: Monday, January 15, 2018 4:56 PM To: Doug Beattie <doug.beat...@globalsign.com> Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham <g...@mozilla.org>; Wayne Thayer <wtha...@mozilla.com> Subject: Re: Possible Issue with Domain V

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Mon, Jan 15, 2018 at 4:54 PM, Eric Mill wrote: > I can only go on what's on the public list, but if it is as it appears and > GS proactively researched their offering, identified a similar weakness via > a separate BR method, and voluntarily turned off their implementation

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; > Gervase Markham <g...@mozilla.org>; Wayne Thayer <wtha...@mozilla.com> > *Subject:* Re: Possible Issue with Domain Validation Method 9 in a shared > hosting environment > > > > > > > > On Mon, Jan

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Mon, Jan 15, 2018 at 4:22 PM, Ryan Sleevi wrote: > > > On Mon, Jan 15, 2018 at 4:11 PM, Eric Mill via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> That said, GlobalSign's offer to cut certificate lifetimes down to X >> months >> during the

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment On Mon, Jan 15, 2018 at 3:36 PM, Doug Beattie via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: Ryan, I’m not sure where we g

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Mon, Jan 15, 2018 at 4:11 PM, Eric Mill via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > That said, GlobalSign's offer to cut certificate lifetimes down to X months > during the short-term, and to make sure OneClick is disabled within Y > months from now, seems like a

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Mon, Jan 15, 2018 at 3:36 PM, Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Ryan, > > I’m not sure where we go from here. As suggested, we encourage you to work on devising technical mitigations or alternative methods of validating such certificates

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Mon, Jan 15, 2018 at 2:30 PM, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Mon, Jan 15, 2018 at 1:18 PM, Doug Beattie > > wrote: > > > > > - The potential risk in maintaining this whitelist, given both the > >

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

> -Original Message- > From: Nick Lamb [mailto:n...@tlrmx.org] > Sent: Monday, January 15, 2018 2:39 PM > > > - Total number of active OneClick customers: < 10 > > What constitutes a OneClick customer in this sense? These are web hosting companies that receive certificates for

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

ists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment (Wearing a Google Hat) Doug, Thanks for sharing additional details. On the basis of what you've shared so far, we do not beli

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Mon, 15 Jan 2018 18:18:10 + Doug Beattie via dev-security-policy wrote: > - Total number of active OneClick customers: < 10 What constitutes a OneClick customer in this sense? The focus of concern for tls-sni-01 was service providers who

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

...@mozilla.com>; Gervase Markham < > g...@mozilla.org>; r...@sleevi.com; mozilla-dev-security-policy@ > lists.mozilla.org > *Subject:* Re: Possible Issue with Domain Validation Method 9 in a shared > hosting environment > > > > (Wearing a Google Hat) > >

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment (Wearing a Google Hat) Doug, Thanks for sharing additional details. On the basis of what you've shared so far, we do not believe this results in an appropriate level of security for the ecosystem, and request

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

Sleevi, Valid point, no intention to confuse, I have no current affiliation with GlobalSign, though I once did. The documentation that described the protocol seems to no longer be online, the behavior is observable and has been discussed in the validation working group within the CABFORUM so it

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Sat, Jan 13, 2018 at 8:46 PM, Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, January 12, 2018 at 6:10:00 PM UTC-8, Matt Palmer wrote: > > On Fri, Jan 12, 2018 at 02:52:54PM +, Doug Beattie via > dev-security-policy wrote: > > > I’d like to

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Friday, January 12, 2018 at 6:10:00 PM UTC-8, Matt Palmer wrote: > On Fri, Jan 12, 2018 at 02:52:54PM +, Doug Beattie via > dev-security-policy wrote: > > I’d like to follow up on our investigation and provide the community with > > some more information about how we use Method 9. > > >

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Fri, Jan 12, 2018 at 02:52:54PM +, Doug Beattie via dev-security-policy wrote: > I’d like to follow up on our investigation and provide the community with > some more information about how we use Method 9. > > 1) Client requests a test certificate for a domain (only one FQDN) Does

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Fri, Jan 12, 2018 at 4:24 PM, Doug Beattie wrote: > Wayne, > > > > We didn’t really investigate wildcard issuance yet, but we can. > > > > Given the discuss so far, we’re planning to proceed with a whitelisting > approach tomorrow and we will plan to end the use

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

zilla.org>; r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment On Fri, Jan 12, 2018 at 11:21 AM, Doug Beattie <doug.beat...@globalsign.com<mailto:doug.beat...@globalsign.com>>

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Fri, Jan 12, 2018 at 11:21 AM, Doug Beattie wrote: > > > Normally a web hosting provider should not let you set SNI for a domain > someone else is using, especially on that IP address. I think this is > where method 9 deviates from method 10. > > > I agree, it

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

Issue with Domain Validation Method 9 in a shared hosting environment Doug, I have some questions: c.The hosting company must allow you to manually create and upload a CSR for a site you don’t own Did you mean to say 'certificate' here instead of 'CSR'? Yes, I meant to say certificat

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On 12/01/18 14:52, Doug Beattie wrote: > For shared IP address environments, it may be possible to receive a > certificate for a domain you don’t actually control, but a number of > things need to happen in order for this to be successful. What can > go wrong? Doug: what do you see as the exact

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

Doug, I have some questions: > > c.The hosting company must allow you to manually create and upload > a CSR for a site you don’t own > > Did you mean to say 'certificate' here instead of 'CSR'? d. The user must be able to trick the hosting provider to enable SNI > for this domain

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

la-dev-security-pol...@lists.mozilla.org Subject: Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment On Thu, Jan 11, 2018 at 4:50 PM, Doug Beattie via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>&

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

On Thu, Jan 11, 2018 at 4:50 PM, Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Based on reported issues with TLS-SNI-01, we started investigation of our > systems late yesterday regarding the use of "Test Certificate" validation, > BR section 3.2.2.4.9.