Re: exposing certificate information (current + upcoming) from Stefan Eissing on 2019-05-10 (ietf-http-wg@w3.org from April to June 2019)

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Fri, 10 May 2019 18:42:00 +0200
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <2B312B6C-1B23-41AA-9911-581DB9D878BF@greenbytes.de>

> Am 10.05.2019 um 15:10 schrieb Ilari Liusvaara <ilariliusvaara@welho.com>:
> 
> On Fri, May 10, 2019 at 12:46:53PM +0200, Stefan Eissing wrote:
>> Christophe Brocas (@cbrocas), organizer of Pass-the-Salt security conference, tweeted 
>> about checking HTTP server certificates against CT logs to detect very early if someone
>> successfully highjacked one of your domains.
>> 
>> A renewed certificate is often not immediately used on a server but activated on the
>> next restart which can be several hours away. To check if a certificate mentioned in a
>> CT log, one would need to obtain information about upcoming certificates as well.
> 
> If the certificate managment is automated, the time window between
> obtaining the certificate from CA and deploying it to production
> is typically much faster than few hours, typically few seconds to few
> tens of seconds, altough some setups deploy in sub-second timescales
> and some may take hundreds of seconds.
> 
> This is because the clients typically reload the webserver after any
> run which changed the certificates (the craziest setups hot-reload from
> inotify, or something similar).

I wrote the ACME client in Apache httpd, and it does not reload right
away. There is no need for that since renewal times are way before
expiry. But I agree that many client do, e.g. certbot for example.

> Regarding using CT for highjack detection, there is proposed mechanisms
> for CT "gossip" where clients send recently seen certificates or pointers
> thereof to the webserver, which can then alert admins on reports of
> unknown publically trusted certificates. I do not think there are any
> concrete specifications about that however (only some drafts).

Offering the readonly information to a checking clients seems like
an easy and secure way, since the server does not need to open up
a notification/reporting mechanism which can be abused as well.

I was just wondering if there is an undesirable information leak
this way that I had not seen.

Thanks, Stefan

Received on Friday, 10 May 2019 16:42:27 UTC