Wandering Thoughts archives

2023-12-15

What /.well-known/ URL queries people make against our web servers

WebFinger is a general web protocol for obtaining various sorts of information about 'people' and things, including someone's OpenID Connect (OIDC) identity provider. For example, if you want to find things out about 'brad@example.org', you can make a HTTPS query to example.org for /.well-known/webfinger?resource=acct%3Abrad%40example.org and see what you get back. WebFinger is on my mind lately as part of me dealing with OIDC and other web SSO stuff, so I became curious to see if people out there (ie, spammers) were trying to use it to extract information from us.

As we can see, WebFinger is just one of a number of things that use '/.well-known/<something>'; another famous one is Let's Encrypt's HTTP based challenge (HTTP-01), which looks for /.well-known/acme-challenge/<TOKEN> (over HTTP, not HTTPS, although I believe it accepts HTTP to HTTPS redirects). So I decided to look for general use of /.well-known/ to see what came up, and to my surprise there was rather more than I expected.

The official registry for this is Well-Known URIs at IANA. On the web server for our normal email domain (which is not our web server), by far the common query was for '/.well-known/carddav', documented in RFC 6764. After that I saw some requests for '/.well-known/openpgpkey/policy', which is covered here and less clearly here, but which isn't an officially registered thing yet. Then there were a number of requests for '/.well-known/traffic-advice' from "Chrome Privacy Preserving Prefetch Proxy". This too isn't officially registered and is sort of documented here (and here), in this question and answers, and in this blog entry. Apparently this is a pretty recent thing, probably dating from August 2023. Somewhat to my surprise, I couldn't see any use of WebFinger across the past week or so.

On our actual web server, the picture is a bit different. The dominant query is for '/.well-known/traffic-advice', and then after that we get what look like security probes for several URLs:

/.well-known/class.api.php
/.well-known/pki-validation/class.api.php
/.well-known/pki-validation/cloud.php
/.well-known/pki-validation/
/.well-known/acme-challenge/class.api.php
/.well-known/acme-challenge/atomlib.php
/.well-known/acme-challenge/cloud.php
/.well-known/acme-challenge/
/.well-known/

(Although '/.well-known/pki-validation' is a registered Well-Known URI, I believe this use of it is as much of a security probe as the pokes at acme-challenge are.)

There was a bit of use of '/.well-known/assetlinks.json' and '/.well-known/security.txt', and a long tail of other things, only a few of them registered (and some of them possibly less obviously malicious than people looking for '.php' URLs).

(We did see some requests for Thunderbird's '/.well-known/autoconfig/mail/config-v1.1.xml', which perhaps we should support, although writing and validating a configuration file looks somewhat complicated.)

There weren't that many requests overall, which isn't really surprising given that we HTTP 404'd all of them. What's left is likely to be the residual automation that blindly tries no matter what and some degree of automated probes from attackers. I admit I'm a bit sad not to have found any for WebFinger itself, because it would be a bit nifty if attackers were trying to mine that (or we had people probing for OIDC IdPs, or some other WebFinger use).

web/WellKnownQueriesAgainstUs written at 23:05:46;


Page tools: See As Normal.
Search:
Login: Password:

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.