On Wed, Jan 10, 2018 at 05:24:41PM +0000, Gervase Markham via dev-security-policy wrote: > On 10/01/18 17:04, Matthew Hardeman wrote: > > That seems remarkably deficient. No other validation mechanism which is > > accepted by the community relies upon specific preventative behavior by any > > number of random hosting companies on the internet. > > I don't think that's true. If your hosting provider allows other sites > to respond to HTTP requests for your domain, there's a similar > vulnerability in the HTTP-01 checker.
That's quite different, though, from your hosting provider allowing other sites to respond to SNI requests for some completely other domain that happens to then authorise certificate issuance for your domain. > Or, if an email provider allows people to claim any of the special email > addresses, there's a similar vulnerability in email-based methods. Yeah, and that's a continuing gift of amusing blog posts ("check out who I got a certificate for this time!"). I'd hope we'd all have learnt from that, though, and not be looking to cheer on other validation methods that suffer from the same problems. Playing whack-a-mole with hosting providers to get them to do something that is *only* needed to secure certificate issuance, and provides zero operational benefit otherwise, seems like a losing proposition. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy