Hackers can obtain false HTTPS authentication, Let's Encrypt, and take urgent measures

Source: Internet
Author: User
Tags shared hosting

Hackers can obtain false HTTPS authentication, Let's Encrypt, and take urgent measures

Web Application Security automatic scan service detecloud security researcher recently Frans rosé n found that TLS-SNI-01 and TLS-SNI-02 allow hackers to gain HTTPS authentication for others' Websites under specific circumstances.

The Certificate Authority Let's Encrypt says that since there are too many shared hosting and infrastructure services that violate TLS-SNI verification, authentication will be stopped from TLS-SNI verification and verification will be updated as of today, let's Encrypt encourages users to change to HTTP or DNS authentication whenever possible.

After the discovery of Frans rosé n, TLS-SNI-01 verification reported to Let's Encrypt in January 9 was at risk and was considered as having the same problem with TLS-SNI-02 verification of its successor mechanism, let's Encrypt also disables TLS-SNI authentication.

TLS-SN I is one of the methods for requesting TLS authentication protocols in Let's Encrypt's three automated authentication Management environments (ACME. While Frans rosé n found that TLS-SNI-01 and TLS-SNI-02 allowed hackers to gain HTTPS authentication from others' websites in specific circumstances.

Hackers can find the independent Domain Name Pointing to the hosting service and add unauthorized authentication to the domain name. For example, a company that owns a fakecert.com domain points to a cloud service that is not located in fakecert.com, and hackers have the opportunity to enable a new account in this cloud service, add an HTTPS server to fakecert.com with a new account, and then use the TLS-SNI-01 authentication service of Let's Encrypt to authenticate HTTPS so that fake websites look exactly the same.

The cause of this risk is not a vulnerability in the TLS-SNI verification program, but a process control issue. Many hosting services do not verify the ownership of the domain, especially when the hosting service provides multiple users to share the same IP address, it is more likely for interested people to use Let's Encrypt, and the TLS-SNI-01 verification mechanism to get others' website certification, whether it is AWS CloudFront or Heroku there is such a risk.

Frans rosé n recommends three methods to reduce the associated risk, one is to stop the TLS-SNI-01, and the other is to set. acme. invalid to blacklist, and finally to use the method for obtaining other verification. Let's Encrypt has also stopped issuing Authentication through the TLS-SNI-01 mechanism, requiring users to switch to HTTP-01 or DNS-01.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.