[cabfpub] Domain validation

Eddy Nigg eddy_nigg at startcom.org
Fri Apr 17 21:01:53 UTC 2015

On 04/16/2015 07:15 PM, Gervase Markham wrote:
> On 16/04/15 17:07, Anoosh Saboori wrote:
>> I agree. It takes me back to my original comment: #6 (storing a random
>> value under a well-known folder) is not at par with other methods
>> outlined in this section.
> If some attacker is capable of placing arbitrary content in the
> .well-known/ folder on a webserver, it's highly likely they are capable
> of stealing the existing SSL certificate, which resides on the same
> filesystem and has to be webserver-readable.

Not necessarily - there are many ready-to-run software that can be 
installed at the server (public html) which allow to place content into 
those folders from where they run (carelessness of not applying the 
right permissions after install many times). Many attacks are also run 
through such compromised sites and it would be more than easy to get 
certificates for them. Though most likely those are not the highest 
profile sites obviously, but still...

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150418/4fd4d040/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150418/4fd4d040/attachment-0001.p7s>

More information about the Public mailing list