On 9/11/16, Patrick Figel <
patf...@gmail.com> wrote:
> On 10/09/16 22:37, Lee wrote:
>> Right - I figured that out about 30 seconds after reading an email
>> about allowing verification on ports 80 and 443. But you only need
>> to get the initial certificate one time - after that you should be
>> able to renew using port 443 and I didn't see anything in the
>> requirements about checking via an encrypted connection first. Did I
>> miss something or is getting a renewal cert over port 80 allowed?
>
> In order to spoof a CA's domain validation request, an attacker would
> need to be in a position to MitM the connection between the CA and the
> targeted domain.
does dns hijacking or dns cache poisoning count as mitm?
> This is where (the authentication part of) TLS would
> come in handy. That leaves us with the problem of determining whether
> the domain name in question should be considered to support TLS:
>
> 1. The CA could look at prior records for that domain - if a
> certificate has been issued before, treat it as a renewal.
> 2. The CA could similarly search Certificate Transparency logs and
> treat the issuance as a renewal if a certificate is found.
>
> Option 1 has one big problem: The attacker only has to chose a CA that's
> different from the CA the domain has used before.
>
> Option 2 is problematic because not all CAs log to CT at the moment.
Why is that allowed?
Full-blown CT is going to take a while.
https://tools.ietf.org/html/rfc6962 talks about including the SCT in
the TLS handshake, so getting to CT means changing how browsers do TLS
- correct? But requiring CAs log every cert to multiple CT servers
doesn't require any changes to browser code and allows for continuous
monitoring of CA behavior (in other words, "trust, but verify"). Or
am I missing something?
Let's check my understanding of CT logging with the issues listed at
https://wiki.mozilla.org/CA:WoSign_Issues
Issue D: ... does not represent a violation of the BRs.
so we'll skip that
Issue F: WoSign issued two certificates in March 2015. These
certificates are identical in all ways (including their serial
numbers) except for their notBefore dates, which are 37 seconds apart.
any interested observer could have discovered that back in March of
2015 if Wosign had logged all certificates to a CT server - correct?
Issue H: Duplicate Serial Numbers (Apr 2015)
again, any interested observer could have discovered that back in
2015 if Wosign had logged all certificates to a CT server - correct?
Issue J: Various BR Violations (Apr 2015)
I don't know enough to say, but couldn't at least
Incorrect or missing policy OIDs in all or most subscriber certificates;
have been discovered by an interested observer?
Issue L: Any Port (Jan - Apr 2015)
CT logging wouldn't have caught any of that
But CT logging _would_ allow CAs to offer a new service to their
customers: for <some small price> we'll notify you about any new
certificates issued for <the domain of the cert you just got> for the
life of the cert
Issue N: Additional Domain Errors (June 2015)
again, same thing as issue L - CT logging wouldn't have caught it?
Interested customers could have registered for a service to be
notified of new certs for their domain?
Issue P: Use of SM2 Algorithm
any interested observer could have discovered that?
Issue R: Purchase of StartCom
CT logging wouldn't have caught that
Issue S: Backdated SHA-1 Certs
any interested observer could have discovered that?
Issue T:
alicdn.com Misissuance
same deal as for issue L
Issue V: StartEncrypt
CT logging wouldn't have caught that?
So CT logging isn't enough for a "good enough" solution, but I'd say
that annual CA audits clearly isn't good enuf either but a combination
of the two does seem to get us a lot closer. Add a requirement for
DNSSEC whenever possible and we're there?
> Both options do nothing to solve the problem of a domain owner losing
> the private key of their certificate (for example due to a hack, data
> loss, or just a domain transfer).
>
> You might be thinking of an option 3 - just connect to port 443, see if
> the domain has a valid certificate, and use HTTPS if available. This
> sounds great in theory, but since the attacker would need to be able to
> MitM the connection in the first place in order to spoof the validation
> request, they could simply intercept this request and force validation
> on port 80.
>
> All in all I think this would do more harm than good. Adding complexity
> to the DV process means slower HTTPS adoption in general. I'd rather see
> a "good enough" DV process ...
if it isn't obvious by now, I'd say that any process that doesn't
include continuous monitoring isn't "good enough"
> ... and HTTPS everywhere when the alternative is
> a perfect-in-theory DV process where HTTPS is available only for sites
> that can deploy all these things competently.
If the site admins aren't competent they're going to get pwned, so why
do I care if they're doing https instead of http? Or look at it from
a different angle - if it's that hard for sites to do it correctly
then [Mozilla? CAs? somebody] can come up with a checklist of what to
look for in a hosting provider that does do it right. It seems like
most everybody is moving to "the cloud" anyway, so requiring site
admins to be competent doesn't seem all that onerous a requirement.
> Even if we push for
> encryption for this validation method, we still have DNS validation
> without any encryption, and given the rate at which DNSSEC is deployed,
http://www.dnssec-deployment.org/
dateline August 29, 2016
3. Implementing DNSSEC validation at Internet Service Providers (ISPs)
Internet Service Providers (ISPs) play a critical role by enabling
DNSSEC validation for the caching DNS resolvers used by their
customers. We have now seen massive rollouts of DNSSEC validation
within large North American ISPs and at ISPs around the world.
OK - I'll agree that we're not where we should be but what if EV
certificates required DNSSEC enabled domain servers to qualify for an
EV cert? Seems like that would help some :)
> that's not going to change any time soon. (Not to mention that there's a
> lot of opposition to DNSSEC in general.)
Where is the opposition to DNSSEC? I was going to say that I'm also
lurking on the dns ops mailing list, but I don't think I can call what
I'm doing on m.d.s.p now lurking :)
Yes, DNSSEC is complicated & difficult to do right, but opposition to
DNSSEC in general? I'm not seeing it & any CA that can't or won't do
DNSSEC shouldn't be in the Mozilla root store.
Regards,
Lee