There should be a way for a dns owner to limit the challenge methods to whatever the dns owner see fit. Currently I couldn’t find such support in the CCA dns record but I think such a mechanism must exists.
And here is my real life almost scenario that is causing me the headaches.
So we have a web based software for bar and restaurants (or any other type of business for that mater). Since for some clients it is unacceptable to be Internet dependent we have an option (which most of our clients use) to install the software on a computer in the client premises. Since it is web based we make port forwarding on the on the router so the client can access the administration interface from home for example. Or he might have integration with an internet store where the Store should make a connection to the server an use API to make orders.
As security is a major concern we issue subdomain certificates under our domain for each of our clients. So the communication is secure. We have all the measures to secure the server in place from unauthorized access.
Recently however we discovered that the MikoTik router of the client has been hacked. The hacker but an http proxy and utilize it the following way:
On every first request to a site it returns 403 Forbidden responce, where in the Responce body it puts and HTML that includes a js file from another side that mines a cryptocurrency, then he launches the script and creates an frame that loads the originally requested site. On every other consecutive request to the same site the proxy just bypass the request to the original destination.
So every request from within or from the outside would utilize the same scenario and the result would be that in the clients browser they would have the wanted site but would also have code that is mining cryptos in the background.
We (or every other side) could combat this by setting X-Frame-Options deny header in the request, however the proxy could actually just strip those when serving to the client.
Even though the hacker didn’t get so far it got us thinking. Since our subdomain is pointing to the router IP address the hacker could just as well make a request to letsencrypt for issuing a certificate using HTTP01 challenge and would have no problem responding to the challenge since it controls the router. That way the hacker could event start returning a valid ssl responces with an appropriate certificate.
We already issue the certificates with DNS01, so the easiest way to protect ourselves and our clients would be to somehow forbit http01 challenge or limit it to https with a valid already issued certificate.
So there you have it. If there is a way to limit the acceptable validation challenges it would increase security and would allow for the domain owner to determine how can someone posse a challenge on his name.
If such a method already exists, please excuse my ignorance. I couldn’t find it.