'

Let's Encrypt disables TLS-SNI-01 validation

It is possible to exploit the protocol to obtain certificates for domains you do not own.

hackingx1filephoto.png
File Photo

Let's Encrypt has disabled TLS-SNI-01 validation after the discovery of an attack able to hijack certificates using the protocol.

The certificate authority, which offers free SSL and TLS certificates to webmasters, received a report from Detectify security professional and bug bounty hunter Frans Rosén which suggested the TLS-SNI-01 system could be abused.

On 9 January, Rosén reported that by making use of the ACME TLS-SNI-01 challenge type, it was possible to exploit a number of shared hosting infrastructures and networks in order to obtain certificates for domains that you do not own.

According to a community forum post by Josh Aas, ISRG Executive Director, the attack method was quickly confirmed by Let's Encrypt, which disabled the validation type to mitigate the issue.

The exploit exists due to the ACME protocol's TLS-SNI-01 challenge procedure. The ACME server -- or certificate authority -- validates a domain name by generating a random token and communicating it to a client.

This client then uses the token to create a self-signed certificate with a specific, invalid hostname, and the domain name's web server is validated to serve that certificate.

The ACME server then looks up the domain name's IP addresses, initializes a TLS connection, and sends the invalid hostname to the SNI extension. If the response is a self-signed certificate which contains the hostname, the client is considered to be in control of the domain name and is therefore permitted to issue certificates for it.

However, the researcher noticed that "at least two" large hosting providers host many users on the same IP address and users are able to upload certificates for arbitrary names without proving they have control of a domain.

When both of these conditions are in play, a successful exploit of TLS-SNI-01 is possible.

When the issue was reported, Let's Encrypt rapidly disabled the validation protocol in Let's Encrypt. However, this challenge type is common for obtaining certificates, and so the move is only to be a stopgap until mitigations are in place.

"It's important that we restore service if possible, though we will only do so if we're confident that the TLS-SNI-01 challenge type is sufficiently secure," the organization says. "At this time, we believe that the issue can be addressed by having certain services providers implement stronger controls for domains hosted on their infrastructure."

See also: How to use Let's Encrypt to secure your websites

In order to prevent too much disruption to major services, Let's Encrypt decided to re-enable the challenge for some providers "who are known not to have issues while we investigate re-enabling TLS-SNI-01 in general," according to the organization.

Others have been made aware of this attack and mitigations are being deployed, but if providers do not tackle the problem, their use of the TLS-SNI-01 challenge type will be blocked to protect users.

Previous and related coverage