Why does HTTP validation have to be done on port 80?


#1

I’ve been reading through the ACME spec, and I noticed that HTTP validation MUST be done over port 80 (and 443 for https). Why is this? The important thing is that the ACME server connect to the correct IP for the server whose identity is to be validated. The port number would seem to be irrelevant. Having to connect to one of these standard web port numbers for validation is quite annoying as it obviously clashes with any existing web service on those ports; it would be more convenient if an admin could set up a custom port for this validation that didn’t require it to be integrated with the existing web service (something that is bound to be more complicated that just running a dedicated ACME client to respond on a custom port).

Does anyone know what the rationale was for requiring validation to be done over port 80 or 443?


Verification on non standard port 80
#2

Not all ports are considered sufficient to demonstrate domain ownership. Validation on port 80 or 443 demonstrates that you can make arbitrary modifications to a website’s content - with websites being the main use-case for the Web PKI. That’s still not as good as DNS verification (as any vulnerability that allows an attacker to write arbitrary files to the webroot would give the attacker a valid certificate), but it’s a reasonable usability trade-off. Allowing any port would make it way easier for attackers, and way harder for network administrators to lock down their domains in a way that doesn’t give anyone running a network service behind those domains a way to obtain a certificate.

The shorter answer is: because the Baseline Requirements say so, and that’s what Let’s Encrypt has to follow if they want to keep their trusted root status. The BRs define a small set of Authorized Ports (including HTTP/HTTPS, and a couple of others like SSH - with HTTP/HTTPS being the least controversial ones) which may be used for domain validation.

(Technically, this part of the Baseline Requirements is currently in a patent-induced heisenstate, but let’s - for the sake of everyone’s sanity - ignore that aspect.)


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.