#2455 Prevent SSL connection redirection attacks among Fedora servers
Closed: Fixed 2 years ago Opened 8 years ago by mattmccutchen.

= phenomenon =
The https://lists.fedoraproject.org server bears a certificate valid for *.fedoraproject.org and will respond to a connection with https://lists.fedoraproject.org content even if the client indicates via ''both'' SNI and the HTTP Host header that it wants https://admin.fedoraproject.org . As a result, a network attacker can redirect a connection bound for admin.fedoraproject.org:443 to lists.fedoraproject.org:443 and cause the client to receive the wrong content. I imagine the same is true for other pairs of Fedora servers; I haven't done extensive testing.

This defeats the integrity property of SSL, though the potential for actual damage depends on what content is at corresponding paths on different servers.

To reproduce:
1. Put this in your /etc/hosts:
{{{ admin.fedoraproject.org
2. Go to https://admin.fedoraproject.org/ in Firefox.

= recommendation =
One approach is to set up a harmless default virtual host on each server that, for example, responds to every request with 403 Forbidden and an explanatory message. If you'd prefer that old clients that use neither SNI nor HTTP Host remain functional and vulnerable, that's possible but might require an enhancement to Apache.

I discovered this issue in the course of [http://www.ietf.org/mail-archive/web/tls/current/msg07126.html discussion on the IETF TLS list].

https://admin.fedoraproject.org/mailman/listinfo and https://lists.fedoraproject.org/mailman/listinfo are both valid.

when we deployed mailman we used the web address lists.fedoraproject.org for other things. https://admin.fedoraproject.org/mailman/listinfo is actually the canonical url.

Replying to [comment:1 ausil]:

https://admin.fedoraproject.org/mailman/listinfo and https://lists.fedoraproject.org/mailman/listinfo are both valid.

Yes, but more generally, the two servers are not interchangeable (e.g., https://admin.fedoraproject.org/ and https://lists.fedoraproject.org/ redirect to different places).

As far as I can see this is now fixed.

We moved lists behind the same proxies that admin is behind a while back when we migrated to mailman3. I don't think we have any other redirects under admin that could behave the same way.

If you see any cases, please let us know...

@kevin changed the status to Closed

2 years ago

Login to comment on this ticket.