kctf.cloud needs to be on the PSL

Question

kctf.cloud needs to be on the PSL

sroettger opened this issue 3 years ago · 4 comments

For two reasons:

web challenges could have unintended solutions
we will hit a rate limit of letsencrypt

Answer 1 · 2021-04-09T11:21:18.000Z

I sent the PR. Interestingly, since some tasks require Cookie isolation and Same-Site-ness, it appears that this is now a hard requirement for security due to Spectre!

Answer 2 · 2021-04-12T08:16:10.000Z

For reference, pull request is here: publicsuffix/list#1272

Answer 3 · 2021-04-17T03:52:26.000Z

For reference, pull request is here: publicsuffix/list#1272

(I am one of the PSL volunteers)

Noticed Let's Encrypt limits mentioned above... best not to use PSL as workaround to that, but rather to coordinate this directly with Let's Encrypt, https://letsencrypt.org/docs/rate-limits/#a-id-overrides-a-overrides and that link is where we refer people to for that specific need.

Answer 4 · 2021-04-27T08:57:01.000Z

Ah, thank you for the link Jothan! That will help us with the letsencrypt problem, though the other part will still stand that the web challenges hosted under kctf.cloud will be same-site.
So many web challenges will have unintended solutions, for example by using spectre to leak secrets (as in https://leaky.page)