Hackers can be faked HTTPS certification, Let’s Encrypt emergency measures
Frans Rosén, Security Researcher at Detectify, found that TLS-SNI-01 and TLS-SNI-02 allow hackers to get HTTPS authentication from other people’s websites under certain circumstances
I found an issue with ACME TLS-SNI-01/02 used by Let's Encrypt. Here's the first announcement with some details. https://t.co/wseskEskLf
— Frans Rosén (@fransrosen) January 10, 2018
Let’s Encrypt, a certification authority, said that Let’s Encrypt encourages users to try and replace as much as possible due to too many shared hosting and infrastructure services that violate TLS-SNI authentication, with the immediate end of certification of TLS-SNI validation, and the renewal of validated certificates Into HTTP or DNS authentication.
Frans Rosén, Security Researcher, Web Application Security Detectify found that the TLS-SNI-01 validation reported to Let’s Encrypt on January 9 poses a risk and that the TLS-SNI-02 validation, which is considered as its successor, has the same problem, Let’s Encrypt also disables TLS-SNI verification.
TLS-SN I is one of Let’s Encrypt’s three Automatic Certificate Management Environment (ACME) requests for TLS authentication protocols. Frans Rosén found that TLS-SNI-01 and TLS-SNI-02 allow hackers to obtain HTTPS authentication of others’ websites under certain circumstances.
Hackers can find a separate domain name pointing to the hosting service, adding unauthorized certifications to the domain name to make it real. For example, a company with a fakecert.com domain will point its location to a cloud service that is not fakecert.com, and a hacker will have the opportunity to enable a brand new account for that cloud service and add a new account for fakecert.com Server, then use Let’s Encrypt’s TLS-SNI-01 authentication service to authenticate HTTPS so that fake websites look the same.
The reason for this risk is not a flaw in the TLS-SNI verification program, but a matter of process control. Many hosting services do not verify ownership of the domain. In particular, when hosting services provide multiple users share the same IP, it is more likely to let trusted people use Let’s Encrypt and obtain the certification of others’ websites through the TLS-SNI-01 authentication mechanism. It’s a risk that AWS CloudFront or Heroku both have.
Frans Rosén suggested three ways to reduce the risk involved, first off TLS-SNI-01, then set .acme.invalid into the blacklist, and finally for other validated methods. Let’s Encrypt also ceases to issue certificates through the TLS-SNI-01 mechanism, requiring users to use HTTP-01 or DNS-01 instead.
