Hackers can obtain false HTTPS authentication, Let's Encrypt, and take urgent measures

Hackers can obtain false HTTPS authentication, Let's Encrypt, and take urgent measures

Web Application Security automatic scan service detecloud security researcher recently Frans rosé n found that TLS-SNI-01 and TLS-SNI-02 allow hackers to gain HTTPS authentication for others' Websites under specific circumstances.

The Certificate Authority Let's Encrypt says that since there are too many shared hosting and infrastructure services that violate TLS-SNI verification, authentication will be stopped from TLS-SNI verification and verification will be updated as of today, let's Encrypt encourages users to change to HTTP or DNS authentication whenever possible.

After the discovery of Frans rosé n, TLS-SNI-01 verification reported to Let's Encrypt in January 9 was at risk and was considered as having the same problem with TLS-SNI-02 verification of its successor mechanism, let's Encrypt also disables TLS-SNI authentication.

TLS-SN I is one of the methods for requesting TLS authentication protocols in Let's Encrypt's three automated authentication Management environments (ACME. While Frans rosé n found that TLS-SNI-01 and TLS-SNI-02 allowed hackers to gain HTTPS authentication from others' websites in specific circumstances.

Hackers can find the independent Domain Name Pointing to the hosting service and add unauthorized authentication to the domain name. For example, a company that owns a fakecert.com domain points to a cloud service that is not located in fakecert.com, and hackers have the opportunity to enable a new account in this cloud service, add an HTTPS server to fakecert.com with a new account, and then use the TLS-SNI-01 authentication service of Let's Encrypt to authenticate HTTPS so that fake websites look exactly the same.

The cause of this risk is not a vulnerability in the TLS-SNI verification program, but a process control issue. Many hosting services do not verify the ownership of the domain, especially when the hosting service provides multiple users to share the same IP address, it is more likely for interested people to use Let's Encrypt, and the TLS-SNI-01 verification mechanism to get others' website certification, whether it is AWS CloudFront or Heroku there is such a risk.

Frans rosé n recommends three methods to reduce the associated risk, one is to stop the TLS-SNI-01, and the other is to set. acme. invalid to blacklist, and finally to use the method for obtaining other verification. Let's Encrypt has also stopped issuing Authentication through the TLS-SNI-01 mechanism, requiring users to switch to HTTP-01 or DNS-01.