Re: WoSign Issue L and port 8080

2016-09-19 Thread Jakob Bohm
On 17/09/2016 16:30, Florian Weimer wrote: * Nick Lamb: On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote: does dns hijacking or dns cache poisoning count as mitm? A careful CA validator does DNS only by making authoritative queries, so they're not subject to cache poisoning since

Re: WoSign Issue L and port 8080

2016-09-17 Thread Florian Weimer
* Nick Lamb: > On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote: >> does dns hijacking or dns cache poisoning count as mitm? > > A careful CA validator does DNS only by making authoritative queries, > so they're not subject to cache poisoning since they don't look at > cached answers. I'm

Re: WoSign Issue L and port 8080

2016-09-13 Thread Jakob Bohm
On 13/09/2016 11:50, Gervase Markham wrote: On 12/09/16 19:02, Jakob Bohm wrote: Wouldn't this fall under the general auditable requirement of being careful in their practices and procedures. Ask an auditor, and they will tell you that "be careful" is not an auditable requirement. I know

Re: WoSign Issue L and port 8080

2016-09-12 Thread Jakob Bohm
On 12/09/2016 09:42, Gervase Markham wrote: On 11/09/16 23:42, Lee wrote: A careful CA validator does DNS only by making authoritative queries, so they're not subject to cache poisoning since they don't look at cached answers. Would a not careful CA be flagged on their yearly audit? It only

Re: WoSign Issue L and port 8080

2016-09-12 Thread Jakob Bohm
On 10/09/2016 14:45, Gervase Markham wrote: On 09/09/16 11:53, Jakob Bohm wrote: As I read the Wiki description of WoSign issue L: Arbitrary High port validation, the description notes a case of port 8080 validation as an instance of this. If the BR and or CP/CPS indeed classify port 8080 as a

Re: WoSign Issue L and port 8080

2016-09-12 Thread Gervase Markham
On 11/09/16 23:42, Lee wrote: >> A careful CA validator does DNS only by making authoritative queries, so >> they're not subject to cache poisoning since they don't look at cached >> answers. > > Would a not careful CA be flagged on their yearly audit? It only might, if doing non-authoritative

Re: WoSign Issue L and port 8080

2016-09-11 Thread Lee
On 9/11/16, Patrick Figel wrote: > On 11/09/16 22:05, Lee wrote: >>> In order to spoof a CA's domain validation request, an attacker >>> would need to be in a position to MitM the connection between the >>> CA and the targeted domain. >> >> does dns hijacking or dns cache

Re: WoSign Issue L and port 8080

2016-09-11 Thread Nick Lamb
On Sunday, 11 September 2016 23:42:18 UTC+1, Lee wrote: > Me personally? Not at all. I'm just asking if they _do_ have DNSSEC > for their domains is there a way to leverage that to get a cert via an > encrypted channel or at least do the domain validation via an > encrypted channel instead of

Re: WoSign Issue L and port 8080

2016-09-11 Thread Lee
On 9/11/16, Nick Lamb wrote: > On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote: >> does dns hijacking or dns cache poisoning count as mitm? > > A careful CA validator does DNS only by making authoritative queries, so > they're not subject to cache poisoning since

Re: WoSign Issue L and port 8080

2016-09-11 Thread Patrick Figel
On 11/09/16 22:05, Lee wrote: >> In order to spoof a CA's domain validation request, an attacker >> would need to be in a position to MitM the connection between the >> CA and the targeted domain. > > does dns hijacking or dns cache poisoning count as mitm? I was mentioning this in order to

Re: WoSign Issue L and port 8080

2016-09-11 Thread Lee
On 9/11/16, Patrick Figel wrote: > On 10/09/16 22:37, Lee wrote: >> Right - I figured that out about 30 seconds after reading an email >> about allowing verification on ports 80 and 443. But you only need >> to get the initial certificate one time - after that you should be

Re: WoSign Issue L and port 8080

2016-09-11 Thread Patrick Figel
On 10/09/16 22:37, Lee wrote: > Right - I figured that out about 30 seconds after reading an email > about allowing verification on ports 80 and 443. But you only need > to get the initial certificate one time - after that you should be > able to renew using port 443 and I didn't see anything

Re: WoSign Issue L and port 8080

2016-09-10 Thread Lee
On 9/10/16, Peter Bowen wrote: > On Sat, Sep 10, 2016 at 9:14 AM, Lee wrote: >> On 9/10/16, Gervase Markham wrote: >>> On 09/09/16 11:53, Jakob Bohm wrote: >> >> Does Mozilla feel that using 'clear text' protocols to validate >> domains is

Re: WoSign Issue L and port 8080

2016-09-10 Thread Lee
On 9/10/16, Gervase Markham wrote: > On 09/09/16 11:53, Jakob Bohm wrote: >> As I read the Wiki description of WoSign issue L: Arbitrary High port >> validation, the description notes a case of port 8080 validation as an >> instance of this. >> >> If the BR and or CP/CPS indeed

Re: WoSign Issue L and port 8080

2016-09-10 Thread Gervase Markham
On 09/09/16 11:53, Jakob Bohm wrote: > As I read the Wiki description of WoSign issue L: Arbitrary High port > validation, the description notes a case of port 8080 validation as an > instance of this. > > If the BR and or CP/CPS indeed classify port 8080 as a valid web port > for domain control