I think we're talking about slightly different scenarios. HTTP-01, for example, ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		pfg on Jan 10, 2018 \| parent \| context \| favorite \| on: Let's Encrypt tls-sni-01 disabled due to credible ... I think we're talking about slightly different scenarios. HTTP-01, for example, cannot be solved by just echoing back the file name the validation server requests because the client is supposed to return "token \|\| '.' \|\| base64(JWK_Thumbprint(accountKey))", but the file name is just "token". dns-01 is not affected either because the requested label is always just "_acme-challenge.<FQDN>".

regecks on Jan 10, 2018 [–]

Any links to discussions on this topic? Sounds suspiciously like SNI proxies.

pfg on Jan 10, 2018 | [–]

I'm not aware of any public discussion of the ongoing incident. This[1] is the thread on the ACME WG mailing list that lead to tls-sni-02 being introduced.

[1]: https://mailarchive.ietf.org/arch/msg/acme/s8gaZ6ev-iqoSQjOZ...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact