On Wed, Jun 20, 2018 at 5:34 AM, Ilari Liusvaara <ilariliusva...@welho.com> wrote: > > My understanding was that catastrophic problem was not the default- > vhost behavior of Apache or Nginx, altough that could casue security > issues. But instead, the problem was that many hosting provoders let > one claim arbitrary hostnames on FCFS basis. This let attacker upload > arbitrary validation certificates to be served, and due to how TLS-SNI > worked, this lead to misvalidation. >
This is correct, although it was not necessarily dependent on FCFS behaviour - the issue would still exist because there was no implicit or explicit binding between the ACME challenge name and the name being validated in the protocol. That, combined with service providers reliance on DNS to resolve conflicts, lead to these issues. I'm not aware of any of the issues that were responsibly disclosed to browser vendors having been related to Apache configuration. > TLS-ALPN addresses the latter problem by requiring the server_name to > match the validation target (which is AFACIT also required by the > Baseline Requirements). This stops claiming arbitary names from > allowing misvalidations. > Note: The Baseline Requirements do not require this.
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme