so pretty much like veryfying ownership of domain for Google Webmaster tools put a file on the domain and finish.
I didnt think that this was an LE specific term, obvious that I found nothing that makes sense on Google
Yup basically the same 
With Android defragmentation with every phone manufacturer having their
own Android builds, the responsiveness to updates for patches to
stagefright etc have been slower.
There are two issues to consider.
First, âearlyâ version of Android suffered the problem. Early versions are versions prior to Ice Cream Sandwich (ICS). These devices also had the certificate store burned into ROM and part of the image, so there was no way to update it. The OEM abandoned the devices after the sale, and thereâs nothing you can do about it to fix it.
Second, âlaterâ version of Android address the problem. Ice Cream Sandwich (ICS) allows the certificate store to be updated in the field without a new image. For details (and some very good reading), see Nikolay Elenkovâs blog Android Explorations and his article ICS Credential Storage Implementation.
A final issue to consider is Apple and Windows Phone suffers this too. They abandon OSâes as quickly as some of the phone manufacturers. Its mentioned as a footnote because this discussion concerned Android.
An interesting facet of the problem on Windows Phone: OEMs are contractually obligated to apply Windows Phone updates. For a discussion, see Alan Meeusâ Windows Phone: Security Deep Dive . However, it does not address (1) what Microsoft puts in the store (or omits from the store); and (2) Microsoft abandoning the operating system.
(And sorry about not providing links. This stupid bulletin board software made me take them out).
well win phone maybe but apple? e.g. the iphone 4s came iirc up to ios 9 which is quite some way and a lot longer than most of the androids.
@schoen @kelunik @bmw @jsha @jcjones
I was checking the stats at https://letsencrypt.org/stats/ and see last 24hrs still alot of simpleHttp verifications compared to http-01. As i understand it simpleHttp is going away and new LE client uses http-01. So this infers that alot of folks are still running outdated LE clients ?
Any planned mechanisms in place to ensure and inform LE users to update their LE clients to keep updated ?
does the LE client have itâs own version number it can report ? maybe add to https://letsencrypt.org/stats/ LE client version stats as a reminder for folks to update too
Would be nice to have some kind of user agent logging to know which clients are used. Actually I like the simpleHttp spec currently better, but thereâs always an issue for that on GitHubâŚ
1 Like
We donât need a flag, the client already knows which plugin is used and could report that in the user-agent header.
1 Like
but a flag for tracking 3rd party client implementations which wish to pass on their identification to LE servers ?
3rd party implementations donât use the client at all.
by the way whereâs the difference between simpleHTTP and http01, both were iirc some kind of webroot werent they?
yeah but was thinking about tracking 3rd party implemented / obtained cert stats
so on stats page you can see how many ssl certificates are obtained from various 3rd party implementations as well so gives you an idea of popularity of 3rd party vs official LE client implementations
Yes, thatâs what a user-agent in HTTP is actually designed for.
1 Like
http-01 doesnât allow the tls challenge property and requires http:// instead of either http:// or https:// (default is tls: true in simpleHttp).
1 Like
so HTTP-01 will have problems on the HTTPS-only domains I use? (or does it still follow HTTP to HTTPS redirects) too bad. the question that I wanna know is, what is used with manual mode?
[quote=âkelunik, post:24, topic:2071, full:trueâ]
Yes, thatâs what a user-agent in HTTP is actually designed for.
[/quote] @kelunik ah i see
It still follows any redirects, at least currently. However, there was this commit: https://github.com/ietf-wg-acme/acme/commit/3f8604cf02ab740c16c495e563f3619d59496409
1 Like
so now they try to kill HTTPS and self-signed certs as a intermediate step before getting LE? too bad.
if HTTP is allowed then Self signed and HTTPS should also be allowed.
IIRC the simpleHttps https verification had a security issue which forced the change to http - not entirely sure itâs discussed in some of the LE github issues
edit: found them at https://github.com/letsencrypt/letsencrypt/issues/1343 and https://github.com/ietf-wg-acme/acme/pull/7
oh and https://mailarchive.ietf.org/arch/msg/acme/B9vhPSMm9tcNoPrTE_LNhnt0d8U
[Acme] ACME vulnerabilities in SimpleHTTP and DVSNI due to common webserversâ default virtual host semantics
Apache (and I gather nginx too) have the subtle and non-intuitive
behaviour that if a default TLS/HTTPS virtual host is not configured
explicitly, one will be selected based on the ordering of vhosts in the
webserver configuration (in practice, this often amounts to alphabetical
ordering of files in a configuration directory).
https://serverfault.com/questions/458106/apache2-default-vhost-in-alphabetical-order-or-override-with-default-vhost
https://serverfault.com/a/180956
This creates a vulnerability for SimpleHTTP and DVSNI in any
multiple-tenant virtual hosting environment that failed to explicitly
select a default vhost [1]. The vulnerability allows one tenant
(typically one with the alphabetically lowest domain name â a situation
that may be easy for an attacker to arrange) to obtain certificates for
other tenants. The exact conditions for the vulerability vary:
- SimpleHTTP is vulnerable if no default vhost is set explicitly, the
server accepts the âtlsâ: true parameter as currently specified, and
the domains served over TLS/HTTPS are a strict subset of those served over
HTTP.
- DVSNI is vulnerable if no default vhost is set explicitly, and the
hosting environment provides a way for tenants to upload arbitrary
certificates to be served on their vhost.
1 Like
list of 3rd party clients is growing at List of Client Implementations so hopefully concerns about fragmentation and keeping up with official LE client changes is low
example Conceptual Issues with operational handling of letsencrypt