I'm doing some research for a podcast recording tomorrow and I really appreciate a clearly written RFC. Props to all the technical writers doing good work! datatracker.ietf.org/doc/html/rfc... - ThreadSky

About ThreadSky

drewcm.bsky.social • 114 days ago

I'm doing some research for a podcast recording tomorrow and I really appreciate a clearly written RFC. Props to all the technical writers doing good work!

https://datatracker.ietf.org/doc/html/rfc8555

Comments

naturalnetworks.net•114 days ago

That particular RFC was a lifesaver when I was adapting the certificate automation for Avi Load Balancer from LE to DigiCert. Technical writers are the unsung heroes of, well, most things.

chrismarget.bsky.social•114 days ago

Depending on who you're talking to, it may be interesting to explore the somewhat hilarious reason tls-sni-01 was deprecated.

drewcm.bsky.social•114 days ago

What was the reason?

chrismarget.bsky.social•114 days ago

Details required to complete the SNI challenge are not communicated exclusively out-of-band. They're also part of the request when validating the challenge.

So, anybody (attacker or otherwise) can respond to the challenge.

chrismarget.bsky.social•114 days ago

As it turns out, some multi tenant web hosts crafted dynamic replies which satisfied the challenge, inadvertently granting evil customers certificates for their innocent victim customers.

drewcm.bsky.social•114 days ago

Yikes!

chrismarget.bsky.social•114 days ago

The details were a specific hostname in a temporary server certificate. To provoke the response, the validation host had to say "hello $randomName"

Some web hosts will fabricate an appropriate certificate on the fly, I guess.

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply