List of IP addresses used for validation
128 views
Skip to first unread message
Ferenc Barta
Jun 13, 2016, 4:09:02 PM6/13/16
to Let's Encrypt CA Development
Hello,
I'm a developer of a server security product called BitNinja and one of our clients have recently reported that our software blocked an IP which you use for validation. Could you please send me a list of the IP addresses you currently use so that we can remove them from our greylist/blacklist and add them to our whitelist?
On the forum I've read that you are planning to frequently change the set of IPs you use to validate. Do you think if it is possible to publish these addresses so that we can keep our whitelist up-to-date? According to the posts on the forum, several other people would also be thankful if you could make this list accessible.
Thank you for your help.
Best regards,
Ferenc Barta
Patrick Figel
Jun 13, 2016, 4:33:20 PM6/13/16
to Ferenc Barta, Let's Encrypt CA Development
The list of IP addresses are not published on purpose in an effort to
prevent implementers from making assumptions about aspects of the
validation process which could change at any time.
As an example, there has been discussion about switching to a system
where the validation is performed from a number of geographically
diverse validation servers with a quorum-style system in order to make
it harder to bypass the validation. That list of IP addresses might
change regularly. Another suggested approach was to route some of those
requests through the Tor network, which would make it impossible to
predict the exact IP address that's going to hit the site.
A better approach might be to increase the threshold for blocking
requests based on other data points, like the request URI path which
will always start with /.well-known/acme-challenge for validation
requests. Finally, if this is not an option for your product, DNS-based
validation is an option that should not be affected by any filtering.
prevent implementers from making assumptions about aspects of the
validation process which could change at any time.
As an example, there has been discussion about switching to a system
where the validation is performed from a number of geographically
diverse validation servers with a quorum-style system in order to make
it harder to bypass the validation. That list of IP addresses might
change regularly. Another suggested approach was to route some of those
requests through the Tor network, which would make it impossible to
predict the exact IP address that's going to hit the site.
A better approach might be to increase the threshold for blocking
requests based on other data points, like the request URI path which
will always start with /.well-known/acme-challenge for validation
requests. Finally, if this is not an option for your product, DNS-based
validation is an option that should not be affected by any filtering.
lees...@gmail.com
Jun 17, 2016, 3:09:22 PM6/17/16
to Let's Encrypt CA Development, barta....@web-szerver.hu
Hello! I'm working at Bitninja.io too. I've tried to reproduce this issue, but found nothing. Our client reported that Bitninja works properly whit your service again. Maybe they have reached one off your limits. I also tried your service, and tried to trick it to trigger some of our rules to get your service greylisted with out luck. We will implement checking that your service always work excepted, but we have to modify our client for that. I mentioned that we could use your service to make our Captcha work with https as well. If you kindly provide us your currently used IPs, i will double check that they have not on our lists (I have already done it with every address that i could find and found nothing in our database). I know this is very sensitive information, so if you decide to share with us you cloud provide it to info[at]bitninja[dot]io. It's just for checking, not for validation.
Btw: your service is awesome! And i have 4 of my domains registered :)
Best Regards
Zoltan Toma
Reply all
Reply to author
Forward
0 new messages