[Acme] ACME vulnerabilities in SimpleHTTP and DVSNI due to common webservers' default virtual host semantics
Peter Eckersley <pde@eff.org> Tue, 22 September 2015 21:53 UTC
Return-Path: <pde@mail2.eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FF511A8AE9 for <acme@ietfa.amsl.com>; Tue, 22 Sep 2015 14:53:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.312
X-Spam-Level:
X-Spam-Status: No, score=-4.312 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mD7Wvlw7RR8j for <acme@ietfa.amsl.com>; Tue, 22 Sep 2015 14:52:58 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2CF61A8AEF for <acme@ietf.org>; Tue, 22 Sep 2015 14:52:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date; bh=HwBn2r7ahzTGuftw48OnP3BXvrCuC9fETagTEkUSA10=; b=EILJYm3+UADdb4d0TMQlBYLttvDIexnRSWN9hffVgBxxR1Vl2okQCHTkOQxddpNhsOVeqX3KOmKNA8xOoAwqlZKfzfX+FFkrn1GniJNeonftXQVoY5H9L7XiW7zg6UE4nw0k84hD7eyyuj7QK5pHo/zOxFOiO4KrqGJeyze8Oy8=;
Received: ; Tue, 22 Sep 2015 14:52:58 -0700
Date: Tue, 22 Sep 2015 14:52:58 -0700
From: Peter Eckersley <pde@eff.org>
To: "acme@ietf.org" <acme@ietf.org>
Message-ID: <20150922215258.GJ17243@eff.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/B9vhPSMm9tcNoPrTE_LNhnt0d8U>
Subject: [Acme] ACME vulnerabilities in SimpleHTTP and DVSNI due to common webservers' default virtual host semantics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2015 21:53:00 -0000
Apache (and I gather nginx too) have the subtle and non-intuitive behaviour that if a default TLS/HTTPS virtual host is not configured explicitly, one will be selected based on the ordering of vhosts in the webserver configuration (in practice, this often amounts to alphabetical ordering of files in a configuration directory). https://serverfault.com/questions/458106/apache2-default-vhost-in-alphabetical-order-or-override-with-default-vhost https://serverfault.com/a/180956 This creates a vulnerability for SimpleHTTP and DVSNI in any multiple-tenant virtual hosting environment that failed to explicitly select a default vhost [1]. The vulnerability allows one tenant (typically one with the alphabetically lowest domain name -- a situation that may be easy for an attacker to arrange) to obtain certificates for other tenants. The exact conditions for the vulerability vary: - SimpleHTTP is vulnerable if no default vhost is set explicitly, the server accepts the "tls": true parameter as currently specified, and the domains served over TLS/HTTPS are a strict subset of those served over HTTP. - DVSNI is vulnerable if no default vhost is set explicitly, and the hosting environment provides a way for tenants to upload arbitrary certificates to be served on their vhost. James Kasten and Alex Halderman have done great work proposing a fix for DVSNI: https://github.com/letsencrypt/acme-spec/compare/sig-reuse...pde:dvsni-default-vhost-fix That fix also has some significant performance benefits on systems with many virtual hosts, and the resulting challenge type should perhaps be called DVSNI2. The simplest fix for SimpleHTTP is to remove the "tls" option from the client's SimpleHTTP response, and require that the challenge be completed on port 80. https://github.com/pde/acme-spec/commit/2bf0488b9d6386b0d8ee34edfe8ba5829de0d9fa Alternatively, the protocol could allow the server to specify which ports it will perform SimpleHTTP and SimpleHTTPS requests on; HTTPS on port 443 SHOULD be avoided unless the CA can confirm that the server has an explicitly configured default vhost. The above diffs are currently against Let's Encrypt's version of the ACME spec, we'll be happy to rebase them against the IETF version upon request. [1] though I haven't confirmed it, it's possible that sites that attempted to set a default vhost are vulernable if they followed advice like this when doing so: https://serverfault.com/a/458181 ; an attacker need only sign up with a lexicographically lower name on that hosting platform to obtain control of the default. -- Peter Eckersley pde@eff.org Chief Computer Scientist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
- [Acme] ACME vulnerabilities in SimpleHTTP and DVS… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Richard Barnes
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Andrew Ayer
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Michael Richardson
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Peter Eckersley
- Re: [Acme] ACME vulnerabilities in SimpleHTTP and… Michael Richardson