Possible Issue with Domain Validation Method 9 in a shared hosting environment

Based on reported issues with TLS-SNI-01, we started investigation of our s=
ystems late yesterday regarding the use of "Test Certificate" validation, B=
R section  3.2.2.4.9.

We found that this method may be vulnerable to the some of the same underly=
ing issue as the ACME TLS-SNI-01 so we disabled it at 10:51 AM today EST, J=
anuary 11th.

While TLS-SNI-01 uses a host name like 773c7d.13445a.acme.invalid, GlobalSi=
gn uses the actual host name, www.example.com<http://www.example.com> which=
 limits abuse, but we believe that the process might be vulnerable in some =
cases.

We're continuing to research this and will let you know what we find.

Doug


Doug Beattie
Vice President of Product Management
GlobalSign
Two International Drive | Suite 150 | Portsmouth, NH 03801
Email: doug.beattie@globalsign.com<mailto:doug.beattie@globalsign.com>
www.globalsign.com<https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__w=
ww.globalsign.com_&d=3DAwMFAg&c=3DqRq7a-87GiVVW7v8KD1gdQ&r=3DyL2kJgSsccUq5V=
caUHiaiErHSMoqqBV4kmZtle8pI0U&m=3D7LSnl4Q_Qu_BEe5I_P8WSvWs0evmNYHNhThvhJlrv=
zE&s=3D8HjQZHbWrcD_ik5cm6C2gK7iPzU_KT9tF7RSZfrF1c0&e=3D>

0
Doug
1/11/2018 9:50:54 PM
mozilla.dev.security.policy 1298 articles. 2 followers. Post Follow

0 Replies
35 Views

Similar Articles

[PageSpeed] 25

Reply: