[cabfpub] Domain validation

Gervase Markham gerv at mozilla.org
Thu Apr 16 16:15:50 UTC 2015

On 16/04/15 17:07, Anoosh Saboori wrote:
> I agree. It takes me back to my original comment: #6 (storing a random
> value under a well-known folder) is not at par with other methods
> outlined in this section.

If some attacker is capable of placing arbitrary content in the
.well-known/ folder on a webserver, it's highly likely they are capable
of stealing the existing SSL certificate, which resides on the same
filesystem and has to be webserver-readable. They have no need to get a
new one issued to them. They would also be capable of replacing other
content on the website, or telling the webserver to redirect everyone to
the attacker's site.

Given that, I think that there is no additional risk of doing
certificate issuance based on this method.


More information about the Public mailing list