DCV Inspector: a tool to inspect domain validation requests
941 views
Skip to first unread message
Andrew Ayer
Dec 31, 2023, 12:00:36 PM12/31/23
to pub...@ccadb.org
I'm happy to announce a new tool for inspecting the domain validation
practices of CAs:
https://dcv-inspector.com
You can use DCV Inspector to determine the vantage points from which the
CA sends domain validation requests, and to detect the use of Delegated
Third Parties, such as Google Public DNS. It works by creating a unique
subdomain for each test. When you request a certificate from a
CA for this subdomain, DCV Inspector records all of the DNS queries,
HTTP requests, and emails sent to the subdomain, and presents them
to you for your inspection.
Example test report: https://dcv-inspector.com/test/46e4bd9d8faef1d36bab7a9eff7b9524
At the moment, DCV Inspector doesn't make any assessment about whether
or not the the test results are compliant, but I envision a future
version including some automated compliance checks where possible.
DCV Inspector is open source and can be self-hosted if desired.
Bug reports and feature ideas (especially about possible automated
compliance checks) are welcome, either here or at GitHub:
https://github.com/SSLMate/dcv-inspector
Unfortunately, the majority of CAs are difficult to test because
their certificates cost money or are not even offered to the
general public. A lot of badness may be flying under the radar
as a result, such as the use of public DNS resolvers. Consider
https://bugzilla.mozilla.org/show_bug.cgi?id=1872371 which was only
detected because the CA offers a free ACME endpoint. There are surely
other CAs using public DNS resolvers.
I believe it would be extremely beneficial to require CAs to offer some
sort of public endpoint for issuing test certificates so that their
domain validation practices can be independently verified. A more
modest proposal that would also help would be requiring CAs to include
a DCV Inspector test report as part of their annual self-assessment.
Would love to hear your thoughts about how to improve transparency into
domain validation practices!
Regards & happy new year,
Andrew
practices of CAs:
https://dcv-inspector.com
You can use DCV Inspector to determine the vantage points from which the
CA sends domain validation requests, and to detect the use of Delegated
Third Parties, such as Google Public DNS. It works by creating a unique
subdomain for each test. When you request a certificate from a
CA for this subdomain, DCV Inspector records all of the DNS queries,
HTTP requests, and emails sent to the subdomain, and presents them
to you for your inspection.
Example test report: https://dcv-inspector.com/test/46e4bd9d8faef1d36bab7a9eff7b9524
At the moment, DCV Inspector doesn't make any assessment about whether
or not the the test results are compliant, but I envision a future
version including some automated compliance checks where possible.
DCV Inspector is open source and can be self-hosted if desired.
Bug reports and feature ideas (especially about possible automated
compliance checks) are welcome, either here or at GitHub:
https://github.com/SSLMate/dcv-inspector
Unfortunately, the majority of CAs are difficult to test because
their certificates cost money or are not even offered to the
general public. A lot of badness may be flying under the radar
as a result, such as the use of public DNS resolvers. Consider
https://bugzilla.mozilla.org/show_bug.cgi?id=1872371 which was only
detected because the CA offers a free ACME endpoint. There are surely
other CAs using public DNS resolvers.
I believe it would be extremely beneficial to require CAs to offer some
sort of public endpoint for issuing test certificates so that their
domain validation practices can be independently verified. A more
modest proposal that would also help would be requiring CAs to include
a DCV Inspector test report as part of their annual self-assessment.
Would love to hear your thoughts about how to improve transparency into
domain validation practices!
Regards & happy new year,
Andrew
Matthew McPherrin
Jan 5, 2024, 2:59:06 PMJan 5
to Andrew Ayer, pub...@ccadb.org
That's a great tool! Thank you for sharing it.
One blind spot I can imagine is, at least for Let's Encrypt, CAA checking is done only after the initial HTTP/DNS/TLS-ALPN acme challenge completes.
Would you consider allowing the user to upload TXT or CAA records to the test server, or HTTP response serving, allowing completion of the validation?
Julia Evan's https://messwithdns.net/ comes to mind as an example of a similar tool, intended as a DNS teaching tool.
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/20231231100033.6589c96e45aba5f4a74e53e5%40andrewayer.name.
Andrew Ayer
Jan 7, 2024, 2:06:57 PMJan 7
to Matthew McPherrin, 'Matthew McPherrin' via CCADB Public
Hi Matthew,
That's a great idea! I've added support for publishing TXT/CAA records
and HTTP files.
I've also added a CT client to the test result page so you can easily
see all the certificates that have been issued.
Example test result for a complete Let's Encrypt issuance using lego
with the DNS challenge:
https://dcv-inspector.com/test/f34ceb24402eace6fdef190a3ffd0b1d
Cheers,
Andrew
On Fri, 5 Jan 2024 14:58:27 -0500
"'Matthew McPherrin' via CCADB Public" <pub...@ccadb.org> wrote:
> That's a great tool! Thank you for sharing it.
>
> One blind spot I can imagine is, at least for Let's Encrypt, CAA
> checking is done only after the initial HTTP/DNS/TLS-ALPN acme
> challenge completes. Would you consider allowing the user to upload
> TXT or CAA records to the test server, or HTTP response serving,
> allowing completion of the validation?
> Julia Evan's https://messwithdns.net/ comes to mind as an example of a
> similar tool, intended as a DNS teaching tool.
>
> On Sun, Dec 31, 2023 at 12:00___PM Andrew Ayer <ag...@andrewayer.name>
> https://groups.google.com/a/ccadb.org/d/msgid/public/CAKh5S0asKQWo5QdKBo%3DQn9w%2BV5dfQ_NufanzECaO-X%2B%2Bqsd6EQ%40mail.gmail.com.
That's a great idea! I've added support for publishing TXT/CAA records
and HTTP files.
I've also added a CT client to the test result page so you can easily
see all the certificates that have been issued.
Example test result for a complete Let's Encrypt issuance using lego
with the DNS challenge:
https://dcv-inspector.com/test/f34ceb24402eace6fdef190a3ffd0b1d
Cheers,
Andrew
On Fri, 5 Jan 2024 14:58:27 -0500
"'Matthew McPherrin' via CCADB Public" <pub...@ccadb.org> wrote:
> That's a great tool! Thank you for sharing it.
>
> One blind spot I can imagine is, at least for Let's Encrypt, CAA
> checking is done only after the initial HTTP/DNS/TLS-ALPN acme
> challenge completes. Would you consider allowing the user to upload
> TXT or CAA records to the test server, or HTTP response serving,
> allowing completion of the validation?
> Julia Evan's https://messwithdns.net/ comes to mind as an example of a
> similar tool, intended as a DNS teaching tool.
>
Matthew McPherrin
Jan 8, 2024, 5:22:40 PMJan 8
to Andrew Ayer, public
Amazing!
I'm sure this will be a helpful tool. Thanks so much for taking the time to build and share it.
I'm sure this will be a helpful tool. Thanks so much for taking the time to build and share it.
Antonios Chariton
Jan 9, 2024, 6:33:33 PMJan 9
to Andrew Ayer, 'Matthew McPherrin' via CCADB Public
Thanks for the great tool Andrew, it’s going to help us troubleshoot and record things in an easier and more organized manner!
It’s really nice, constantly improved, and it looks like you made it during the holidays, so thanks for taking the time then.
One idea I had was to add 1.1.1.1 at a DTP ( https://developers.cloudflare.com/1.1.1.1/faq/#can-ips-used-by-1.1.1.1-be-allowlisted ) as they seem to be used too by some CAs ( https://dcv-inspector.com/test/2a87fdfb8c6aed848fe644d269ab44ef )
I am happy to send a PR if you’d like this, for https://github.com/SSLMate/dcv-inspector/blob/main/dtp.go#L44 / https://github.com/SSLMate/dcv-inspector/blob/main/dtp.go#L64
Thanks,
Antonis
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/20240107120653.b0ff7f29b2e18184faf3c68e%40andrewayer.name.
Suchan Seo
Jan 14, 2024, 8:08:58 PMJan 14
to CCADB Public, Antonios Chariton, 'Matthew McPherrin' via CCADB Public, Andrew Ayer
it looks quite a lot of CAs may have this class of problem: but as outsiders are hard to get a certificate from every CA, should a root program start a investigation for it?
2024년 1월 10일 수요일 오전 8시 33분 33초 UTC+9에 Antonios Chariton님이 작성:
Reply all
Reply to author
Forward
0 new messages