←back to thread

Getting ready to issue IP address certificates

(community.letsencrypt.org)
315 points Bogdanp | 2 comments | 25 Jun 25 16:21 UTC | HN request time: 0.404s | source
Show context
lq9AJ8yrfs ◴[25 Jun 25 17:56 UTC] No.44380076[source]
So all the addressing bodies (e.g., ISPs and cloud providers) are on board then right? They sometimes cycle through IP's with great velocity. Faster than 6 days at least.

Lots of sport here, unless perhaps they cool off IPs before reallocating, or perhaps query and revoke any certs before reusing the IP?

If the addressing bodies are not on board then it's a user responsibility to validate the host header and reject unwanted IP address based connections until any legacy certs are gone / or revoke any legacy certs. Or just wait to use your shiny new IP?

I wonder how many IP certs you could get for how much money with the different cloud providers.

replies(8): >>44380307 #>>44380480 #>>44380529 #>>44381336 #>>44381990 #>>44382179 #>>44383267 #>>44385523 #
Hizonner ◴[25 Jun 25 18:33 UTC] No.44380480[source]
> So all the addressing bodies (e.g., ISPs and cloud providers) are on board then right? They sometimes cycle through IP's with great velocity. Faster than 6 days at least.

... or put multiple customers on the same IP address at the same time. But presumably they wouldn't be willing to complete the dance necessary to actually get certs for addresses they were using that way.

Just in case, though, it's probably a good idea to audit basically all software everywhere to make sure that it will not use IP-based SANs to validate connections, even if somebody does, say, embed a raw IP address in a URL.

This stuff is just insanity.

replies(2): >>44381003 #>>44382764 #
schoen ◴[25 Jun 25 19:26 UTC] No.44381003[source]
There was a prior concern in the history of Let's Encrypt about hosting providers that have multiple customers on the same server. In fact, phenomena related to that led to the deprecation of one challenge method and the modification of another one, because it's important that one customer not be able to pass CA challenges on behalf of another customer just because the two are hosted on the same server.

But there was no conclusion that customers on the same server can't get certificates just because they're on the same server, or that whoever legitimately controls the default server for an IP address can't get them.

This would be a problem if clients would somehow treat https://example.com/ and https://96.7.128.175/ as the same identifier or security context just because example.com resolves to 96.7.128.175, but I'm not aware of clients that ever do so. Are you?

If clients don't confuse these things in some automated security sense, I don't see how IP address certs are worse than (or different from) certs for different customers who are hosted on the same IP address.

replies(4): >>44381193 #>>44381223 #>>44381268 #>>44381407 #
1. xg15 ◴[25 Jun 25 19:50 UTC] No.44381223[source]
So in the case of multiple users behind a NAT, the cert for 96.7.128.175 would identify whichever party has control over the 443 port on that address?
replies(1): >>44384060 #
2. schoen ◴[26 Jun 25 03:56 UTC] No.44384060[source]
Yes (if the TLS-ALPN-01 challenge method was used). The CA/B Forum Baseline Requirements currently permit proof of control using any of four specified ports

> Authorized Ports: One of the following ports: 80 (http), 443 (https), 25 (smtp), 22 (ssh).

Let's Encrypt uses only port 80 and 443.

This is the same for certificates for domain names and for IP addresses.