On Wed, Jan 10, 2018 at 05:24:41PM +0000, Gervase Markham via
dev-security-policy wrote:
> On 10/01/18 17:04, Matthew Hardeman wrote:
> > That seems remarkably deficient. No other validation mechanism which is
> > accepted by the community relies upon specific preventative behavior by any
> > number of random hosting companies on the internet.
>
> I don't think that's true. If your hosting provider allows other sites
> to respond to HTTP requests for your domain, there's a similar
> vulnerability in the HTTP-01 checker.
That's quite different, though, from your hosting provider allowing other
sites to respond to SNI requests for some completely other domain that
happens to then authorise certificate issuance for your domain.
> Or, if an email provider allows people to claim any of the special email
> addresses, there's a similar vulnerability in email-based methods.
Yeah, and that's a continuing gift of amusing blog posts ("check out who I
got a certificate for this time!"). I'd hope we'd all have learnt from
that, though, and not be looking to cheer on other validation methods that
suffer from the same problems. Playing whack-a-mole with hosting providers
to get them to do something that is *only* needed to secure certificate
issuance, and provides zero operational benefit otherwise, seems like a
losing proposition.
- Matt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
