Hacker News new | comments | show | ask | jobs | submit login

The way the http-01 challenge in ACME mitigates this is by not putting the whole token they'll look for in the request. Basically, they request example.com/.well-known/acme-challenge/<random_token>, and the request body has to be <random_token>+<account_key_fingerprint> for the challenge to pass. Since the account key fingerprint is not part of the request, the 404 page echoing back the token would not be enough (even if it's a 404-served-as-200).

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact