On 10/01/2018 14:15, Kurt Roeckx wrote:
On Wed, Jan 10, 2018 at 01:33:20AM -0800, josh--- via dev-security-policy wrote:
* Users have the ability to upload certificates for arbitrary names without
proving domain control.
So a user can always take over the domain of an other user on
those providers just by installing a (self-signed) certificate?
I guess it works easiest if the other just doesn't have SSL.
Depending on exactly how the shared web server is misconfigured, it
still might direct the traffic of actual (real) hostnames of other users
to the correct user account, even if matching the SNI to the rogue
certificate). This boils down to the fact that many web servers use
neither the client-supplied SNI value nor the list of certificate SAN
DNS values as an alternative / override / filter for the HTTP/1.x Host:
header and/or the HTTP full URL in request option.
It is also quite possible that a number of affected hosting systems will
only allow this for domains not already hosted by another user (such as
acme.invalid).
Enforcement on shared hosting systems would be easier if the TLS-SNI-01
ACME mechanism used names such as
1234556-24356476._acme.requested.domain.example.com
since that would allow hosting providers to restrict certificate uploads
that claim to be for other customers domains. Maybe the name form used
by TLS-SNI-02 could be the same as for the DNS-01 challenge.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
