We should not forget that the TLS-SNI design does not enforce a method to prevent this. I would definitely say this is a vulnerability in ACME, but indeed only exposed when not carefully implemented. There will always be providers that make this simple mistake again.
-
-
-
Highly recommend the mozilla-dev-security-policy thread for some lively debate from both sides. I am also firmly in the "protocol should prevent it by design" camphttps://groups.google.com/forum/#!topic/mozilla.dev.security.policy/RHsIInIjJA0 …
End of conversation
New conversation -
-
-
Do we know of any other CA's that use this?
-
While not the same as in using TLS-SNI-01 as defined by ACME draft, GlobalSign has supported a TLS certificate oriented validation mechanism and today noted that they may have a vulnerability herehttps://groups.google.com/forum/#!topic/mozilla.dev.security.policy/PiOiGCyuxCU …
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.