Validation Hacking

I am about to start using Lets Encrypt but I have found a policy problem. Unless the rate limit document is mentioning something wrong.

I have seen that people are getting “Forbidden” error if there are too many pending validations on their domain. Now what if a hacker tries to create Lets Encrypt account and performs 100s of DNS validations so that when I try to request DNS validation, will I always get Forbidden error as hacker is abusing validation limits?

To test this, I tried various domains, for example google.com (for this I got forbidden error), for agoogle.com , I didn’t get any error, I also don’t own this.

Are failed validation limits only applicable in scope of individual account? Or it is applicable to enter domain name?

So if too many validation error occurs for one account, can I create new account and do validations? If not, someone else can purposely harm us by requesting multiple validations.

Yes, that's right.

There is no practical way to lock somebody else out in this way.

Besides attacking their web/DNS infrastructure directly, I guess.

If that is so, can user by pass limits simply by creating new account and issue all certificates?

Yes - you can evade the Failed Validation rate limit by registering a new account. At least, up until you encounter the Account Registration rate limit.

A well-behaved user would use the staging environment to debug their failed validations, which provides a much higher Failed Validation rate limit.

@_az My concern is only about being locked out by hacker/malicious user. I am sure if Stack Overflow is using, then there must be some ways to not locked out. I want to make sure I am not missing a necessary security step before jumping onto Lets Encrypt.

The only way to be locked out is if the hacker is able to successfully issue many certificates for your domain. That rate limit counts across all accounts.

But that requires the hacker to have control of your domain in the first place, which is game over anyway.

Of course, the protocol authors thought of your concerns already :slight_smile: .

1 Like

A new account isn't even necessary: a malicious user wouldn't be able to use the users account anyway, unless their server is hacked. But then you've got bigger problems than an authorization rate limit.

@Osiris I know about pending authorization rate limit, my point is if someone else continuously create new random account try to authorize my domains, will I get affected? I am not the one who is creating more pending authorizations.

As those limits are on an account base, there is no way you can be locked out that way, unless a hacker has access to your account and IP. The former because that way a hacker could use "up" any limit coupled to your account, the latter because that way a hacker could continously register new accounts, rate limiting creating accounts for your IP address.
Needless to say your problems are bigger than just a new certificate if a hacker has access to your server.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.