<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 04/16/2015 07:15 PM, Gervase Markham
wrote:<br>
</div>
<blockquote cite="mid:552FE036.1000209@mozilla.org" type="cite">
<pre wrap="">On 16/04/15 17:07, Anoosh Saboori wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I agree. It takes me back to my original comment: #6 (storing a random
value under a well-known folder) is not at par with other methods
outlined in this section.
</pre>
</blockquote>
<pre wrap="">
If some attacker is capable of placing arbitrary content in the
.well-known/ folder on a webserver, it's highly likely they are capable
of stealing the existing SSL certificate, which resides on the same
filesystem and has to be webserver-readable. </pre>
</blockquote>
<br>
Not necessarily - there are many ready-to-run software that can be
installed at the server (public html) which allow to place content
into those folders from where they run (carelessness of not applying
the right permissions after install many times). Many attacks are
also run through such compromised sites and it would be more than
easy to get certificates for them. Though most likely those are not
the highest profile sites obviously, but still...<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>