On 10/01/18 17:04, Matthew Hardeman wrote: > That seems remarkably deficient. No other validation mechanism which is > accepted by the community relies upon specific preventative behavior by any > number of random hosting companies on the internet.
I don't think that's true. If your hosting provider allows other sites to respond to HTTP requests for your domain, there's a similar vulnerability in the HTTP-01 checker. One configuration where this can happen is when multiple sites share an IP but only one gets port 443 (i.e. the pre-SNI support situation), and it's not you. Or, if an email provider allows people to claim any of the special email addresses, there's a similar vulnerability in email-based methods. The "don't allow acme.invalid" mitigation is the easiest one to implement, but another perfectly good one would be "don't allow people to deploy certs for sites they don't own or control", or even "don't allow people to deploy certs for sites your other customers own or control". Put that way, that doesn't seem like an unreasonable requirement, does it? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy