Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

2018-01-11 Thread Ryan Sleevi via dev-security-policy
On Fri, Jan 12, 2018 at 5:46 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 11/01/2018 05:38, Ryan Sleevi wrote: > > On Thu, Jan 11, 2018 at 2:46 AM Jakob Bohm via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> On

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

2018-01-11 Thread Jakob Bohm via dev-security-policy
On 11/01/2018 05:38, Ryan Sleevi wrote: On Thu, Jan 11, 2018 at 2:46 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 11/01/2018 01:08, Ryan Sleevi wrote: On Wed, Jan 10, 2018 at 6:35 PM, Jakob Bohm via dev-security-policy <

Re: DYMO Root CA installed by Label Printing Software

2018-01-11 Thread Nicholas Humfrey via dev-security-policy
Thank you very much to everyone who replied to my original post. I think the fact that so many people are making the same mistakes indicates that the correct solutions are not obvious to many developers. I have added a "How could this be done better?" section to my README:

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

2018-01-11 Thread Wayne Thayer via dev-security-policy
On Thu, Jan 11, 2018 at 3:28 PM, josh--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > https://community.letsencrypt.org/t/2018-01-11-update-regard > ing-acme-tls-sni-and-shared-hosting-infrastructure/50188 > > Speaking for myself, this is an excellent game plan that

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

2018-01-11 Thread josh--- via dev-security-policy
On Thursday, January 11, 2018 at 3:36:50 PM UTC-6, Ryan Sleevi wrote: > On Wed, Jan 10, 2018 at 4:33 AM, josh--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > At approximately 5 p.m. Pacific time on January 9, 2018, we received a > > report from Frans Rosén of

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-11 Thread Ryan Sleevi via dev-security-policy
On Thu, Jan 11, 2018 at 4:50 PM, Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Based on reported issues with TLS-SNI-01, we started investigation of our > systems late yesterday regarding the use of "Test Certificate" validation, > BR section 3.2.2.4.9.

Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-11 Thread Doug Beattie via dev-security-policy
Based on reported issues with TLS-SNI-01, we started investigation of our systems late yesterday regarding the use of "Test Certificate" validation, BR section 3.2.2.4.9. We found that this method may be vulnerable to the some of the same underlying issue as the ACME TLS-SNI-01 so we

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

2018-01-11 Thread Ryan Sleevi via dev-security-policy
On Wed, Jan 10, 2018 at 4:33 AM, josh--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > At approximately 5 p.m. Pacific time on January 9, 2018, we received a > report from Frans Rosén of Detectify outlining a method of exploiting some > shared hosting infrastructures

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

2018-01-11 Thread Gervase Markham via dev-security-policy
On 10/01/18 17:39, Matthew Hardeman wrote: > Here again, I think we have a problem. It's regarded as normal and > acceptable at many web host infrastructures to pre-stage sites for > domain-labels not yet in use to allow for development and test deployment. I agree that "no unknown domain names"