Earlier this month, Let’s Encrypt spotted an issue in ACME protocol’s TLS-SNI-01 challenge process. Cyber attackers could have used this vulnerability to obtain certificates they did not own.
Here’s what could happen if hosting providers aren’t carefully controlling subdomains: “The ACME server looks up the domain name’s IP address, initiates a TLS connection, and sends the specific .acme.invalid hostname in the SNI extension,” said ISRG executive director, Josh Aas. “If the response is a self-signed certificate containing that hostname, the ACME client is considered to be in control of the domain name, and will be allowed to issue certificates for it.” But the problem is that the requester may or may not be the owner of that domain.
As a result of the vulnerability, Let’s Encrypt disabled TLS-SNI-01 for most major web service providers. Let’s Encrypt’s quick response is commendable, however, there is only so much the certificate authority can do when responding to these kinds of events.
“Let’s be clear -- this is really about weak security practices by some hosting providers,” says Hari Nair, director of cryptographic research for Venafi. “Let’s Encrypt has mitigated the damage to a certain extent, but ultimately, the effectiveness of their steps depends on how well hosting providers implement certificate security on their end.”
Despite the intensity of this issue, it may be awhile before we see an industry wide response. “It’s possible that there could be a spate of revocations in response to this event,” Nair continues. “The reality is that detection of mis-issued certificates is extremely hard and checking for revocation status is not something that the industry has traditionally done well, so it’s not clear how much impact revocations will have.”
However, we may see additional impact and revocations due to the evolving relationship between CAs and web browser companies.
“Google’s move to require Certificate Transparency for *all* certificates, including DV certs, will help surface these kind of issues sooner, but that move is currently slated for April 2018. In the meantime, the only thing organizations can do to protect themselves is to stay vigilant in their efforts to monitor for mis-issued or maliciously issued certificates. The problem is that the vast majority of organization don’t have the technology they need to do this,” concludes Nair.”