On Fri, Jan 12, 2018 at 06:03:34PM +0100, Gerd v. Egidy wrote: > > That is still vulernable to default-vhost issues if: > > > > - The hoster does not explicitly reserve default vhost (I have seen that > > kind of behavior with http:// too). > > - The hoster lets customers upload arbitrary certificates. > > I think you also need: > > - A user is able to trick the server into serving his document root as > default > vhost > > - The webserver serves the default tls vhost, even if the CA requested a > specific vhost via SNI
Well, I think both are impiled by default vhost. > > (And there are countermeasures that can detect default vhosts). > > Could you explain in more detail? > > Will they still work in conjunction with TLS and SNI? One trick: Use some wild host value, and see that either TLS handshake fails with alert 112, or that returned certificate is different. -Ilari _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme