Let’s Encrypt disables validation method due to shared hosting issue

Let’s Encrypt has disabled domain validation via tls-sni, because in some cases this makes it possible to request a certificate for a domain that does not belong to the requesting party. The organization is working on a solution.

In a post on its website, Let’s Encrypt explains that it recently received a warning from Frans Rosén of Detectify that he was able to submit a certificate for a domain via a tls-sni-01 challenge, part of the acme protocol. to ask that does not belong to him. The organization says this has to do with a certain shared hosting construction and that it is now in talks with hosting providers that are vulnerable. In this way, Let’s Encrypt wants to be able to offer its validation service again quickly by blocking the providers in question.

The problem only occurs if a hosting provider hosts many users under the same IP address and if users can upload certificates for arbitrary names without proving ownership of that domain. This would in any case occur with two major providers, according to Let’s Encrypt. For example, if an attacker has a site behind the same shared IP address that the target’s DNS points to, then by using the said challenge, he could eventually set up a certificate for that domain. By setting an invalid acme certificate during the validation process, the attacker can convince the acme server that it is authorized to issue certificates for that domain.

In a post to Hacker News, Josh Aas of Let’s Encrypt says there is no reason to believe that malicious parties have used this method. Certificates are used to encrypt internet traffic between a client and a host, for example when a user visits a particular website. For example, the leak would allow a man-in-the-middle attack.