[cabfpub] Domain validation
gerv at mozilla.org
Thu Apr 16 16:15:50 UTC 2015
On 16/04/15 17:07, Anoosh Saboori wrote:
> I agree. It takes me back to my original comment: #6 (storing a random
> value under a well-known folder) is not at par with other methods
> outlined in this section.
If some attacker is capable of placing arbitrary content in the
.well-known/ folder on a webserver, it's highly likely they are capable
of stealing the existing SSL certificate, which resides on the same
filesystem and has to be webserver-readable. They have no need to get a
new one issued to them. They would also be capable of replacing other
content on the website, or telling the webserver to redirect everyone to
the attacker's site.
Given that, I think that there is no additional risk of doing
certificate issuance based on this method.
More information about the Public