[cabfpub] Domain validation
Eddy Nigg
eddy_nigg at startcom.org
Fri Apr 17 21:01:53 UTC 2015
On 04/16/2015 07:15 PM, Gervase Markham wrote:
> On 16/04/15 17:07, Anoosh Saboori wrote:
>> I agree. It takes me back to my original comment: #6 (storing a random
>> value under a well-known folder) is not at par with other methods
>> outlined in this section.
> If some attacker is capable of placing arbitrary content in the
> .well-known/ folder on a webserver, it's highly likely they are capable
> of stealing the existing SSL certificate, which resides on the same
> filesystem and has to be webserver-readable.
Not necessarily - there are many ready-to-run software that can be
installed at the server (public html) which allow to place content into
those folders from where they run (carelessness of not applying the
right permissions after install many times). Many attacks are also run
through such compromised sites and it would be more than easy to get
certificates for them. Though most likely those are not the highest
profile sites obviously, but still...
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150418/4fd4d040/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150418/4fd4d040/attachment-0001.p7s>
More information about the Public
mailing list