5

LetsEncrypt allows you to verify ownership of your domain using the .well-known thing, but since the site is http before the first certificate is issued, couldn't somebody do an MITM attack to give letsencrypt the response it wants without actually owning the domain? I'm pretty sure the people at LE know what they're doing, I just want to know how it works.

EDIT:

To clarify, I am talking about spoofing the entire process, not just guessing the nonce used after a legitimate owner begins the process. I am talking about an attacker running certbot and doing the entire thing.

  • Doesn't Let's Encrypt use (untrusted) HTTPS for the verification? Of course this first connection isn't more secure than plain HTTP but it's *technically* HTTPS. – Arminius May 04 '17 at 04:45
  • Also, [this thread](https://community.letsencrypt.org/t/is-it-safe-to-use-http-in-domain-validation/22570) is discussing that issue. – Arminius May 04 '17 at 04:52
  • 1
    Yes this is a risk with online based DV. CAs have to mitigate this, for example by using multiple routes to the destination IP for the verification calls. – eckes May 05 '17 at 06:31
  • If I understand this right, the duplicate isn't talking about guessing the nonce. It is talking about MITM Lets Encrypt which is what you ask as well. – Anders May 05 '17 at 07:24

1 Answers1

3

couldn't somebody do an MITM attack to give letsencrypt the response it wants without actually owning the domain?

Yes, someone who knows the response Let's Encrypt expects could provide it. But, the response is created by using a private key only known to the owner of the server where the matching public key is known by Let's Encrypt. Thus it is practically impossible for some man in the middle to guess the correct response.

For more details see How It Works from Let's Encrypt which includes the following description:

Along with the challenges, the Let’s Encrypt CA also provides a nonce that the agent must sign with its private key pair to prove that it controls the key pair.

Of course, if the attacker fully controls access to the domain he can create a new account with Let's Encrypt and get a certificate for this domain. But in this case the attacker is essentially owning the domain not only from the perspective of Let's Encrypt but also other third parties.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 1
    As I understand it, the question is more about MITM-ing an *entire* verification process which wouldn't require an attacker to guess any nonces. – Arminius May 04 '17 at 04:57
  • @Arminius: in my opinion the question clearly is about the process which verifies the challenge (reference to `.well-known` suggests this). In this case the attacker must not guess the nonce (which is probably visible in the HTTP request) but he must know the private key of the domain owner which is used to sign the nonce. – Steffen Ullrich May 04 '17 at 05:04
  • @Arminius understands what I am asking. – markasoftware May 04 '17 at 23:37
  • @Markasoftware: in this case see the last paragraph of the answer, i.e. the attacker essentially owns the domain and therefore can get certificates for it. This is not limited to Let's Encrypt but is the same with most or even all domain validation methods. – Steffen Ullrich May 05 '17 at 04:24