Is the ACME HTTP-01 challenge secure against MITMs?

Many certificate authorities these days use the ACME protocol to automate the process of certificate issuance. This includes verifying that the applicant is the owner of the domain. And the most common way of doing this is via the HTTP-01 challenge, which challenges the applicant to serve up a given token from a server over HTTP.

But my question is, if HTTPS is what provides authentication and non-repudiation for the web, how can HTTP, a protocol without these features, be used to bootstrap HTTPS? How does the certificate authority know that the server serving up the challenge token is indeed at the IP address that it says it’s at? Isn’t this challenge vulnerable to a MITM attack, the very thing that HTTPS seeks to prevent?

How would a major buff ability effect challenge rating (stat block modified)

I’m homebrewing a creature that has the ability to summon things that buff its attacks and gives it resistances/immunities. The stat block is shown below.

Toadstool

Huge monstrosity, unaligned

Armor Class 17 (Natural Armor) Hit Points 479 (29d12+290) Speed 15 ft.

STR 24(+7) DEX 10(+0) CON 30(+10)INT 3(-4) WIS 10(+0) CHA 7(-2)

Saving Throws STR +14, CON +15, WIS +7

Skills Intimidation +17, Perception +14

Damage Immunities Poison Condition Immunities Blinded, Deafened, Frightened, Poisoned Senses Darkvision 60ft., Passive Perception 14 Languages — Challenge 24 (62,000 XP)

Amphibious. The toadstool can breathe air and water.
Fungal Body. Any critical hit against the toadstool counts as a normal hit.
Buff. The toadstool becomes more powerful depending on the number of sporecaps summoned, as seen below.
1-4: The toadstool deals an extra 1d10 poison damage on all attacks, it can release an extra boomshroom.
5-7: The toadstool deals an extra 2d10 poison damage on attacks, it gains resistance to all damage from piercing, slashing, & bludgeoning damage from nonmagical attacks, and it can release an extra 2 boomshrooms.
8+: The toadstool deals an extra 3d10 poison damage on attacks, it gains immunity to all damage from piercing, slashing, & bludgeoning damage from nonmagical attacks, resistance to all damage from piercing, slashing, & bludgeoning damage from magical attacks, and it can release an extra 3 boomshrooms. The toadstool must be within 30 feet of the sporecaps in order to gain these benefits.

Actions

Multiattack. The toadstool makes three attacks, one with its bite and two other actions.
Bite. Melee Weapon Attack: +15 to hit, reach 5 ft., one target. Hit: 22 (3d10 + 6) piercing damage, and the target is swallowed if it is a Medium or smaller creature. A swallowed creature is blinded and restrained, has total cover against attacks and other effects outside the toadstool, and takes 10 (3d6) acid damage at the start of each of the toadstool’s turns. The toadstool’s gullet can hold up to two creatures at a time. If the toadstool takes 20 damage or more on a single turn from a creature inside it, the toadstool must succeed on a DC 20 Constitution saving throw at the end of that turn or regurgitate all swallowed creatures, each of which falls prone in a space within 10 feet of the toadstool. If the toadstool dies, a swallowed creature is no longer restrained by it and can escape from the corpse using 10 feet of movement, exiting prone.
Sporecap.(Recharge 4-6) The toadstool can use its action to summon 1d4 sporecaps. Sporecaps are large, tree-size mushrooms. The sporecaps buff the toadstool. The number of sporecaps determines how powerful the toadstool is. These sporecaps have 40 (3d10+24) hit points each.
Boomshroom. The toadstool releases 4 (1d8) Boomshrooms. Boomshrooms are small mushrooms that grow and explode, and any creature within 5 feet of the it takes 12(2d12) poison damage.

Ground Pound. The toadstool can hop on the ground, and any creature within 25 feet of it must succeed on a DC 15 Dexterity saving throw, taking 27(3d12+7) bludgeoning damage on a failed save, or half as much on a successful one. This radius then becomes difficult terrain. The toadstool ignores the difficult terrain.

Legendary Actions

The toadstool can take 3 legendary actions, choosing from the options below. Only one legendary action option can be used at a time and only at the end of another creature’s turn. The toadstool regains spent legendary actions at the start of their turn.

Spore Bomb. The toadstool attaches a spore to a creature of its choice within 20 feet of it. This spore explodes at the end of the target’s next turn, creating a 10-ft radius of necrotic gas for 1 minute. Anyone who enters the space of the cloud takes 13 (3d8) necrotic damage for each round they spend their turn inside the gas.
Ground Pound (Costs 2 actions.) The toadstool uses its ground pound.

How would the buff ability affect challenge rating?

How would a major buffing ability effect challenge rating? [closed]

So I’m homebrewing a creature that has the ability to summon things that buff its attacks and gives it resistances/immunities. The ability is shown below.

Buff. The toadstool becomes more powerful depending on the number of sporecaps summoned, as seen below.

1-4: The toadstool deals an extra 1d10 poison damage on all attacks, it can release an extra boomshroom.

5-7: The toadstool deals an extra 2d10 poison damage on attacks, it gains resistance to all damage from piercing, slashing, & bludgeoning damage from nonmagical attacks, and it can release an extra 2 boomshrooms.

8+: The toadstool deals an extra 3d10 poison damage on attacks, it gains immunity to all damage from piercing, slashing, & bludgeoning damage from nonmagical attacks, resistance to all damage from piercing, slashing, & bludgeoning damage from magical attacks, and it can release an extra 3 boomshrooms.

Each sporecap has 10 hit points. How would this ability effect the final challenge rating? Please help!

How is Challenge Rating (CR) calculated for a mixed group of multiple monsters in regards to the Treasure Table?

I understand that encounters are balanced around exp thresholds in the DMG (e.g. https://rpg.stackexchange.com/a/105360).

With that said, there are loot tables in the DMG 136-139 that have “Challenge Rating” ranges for how loot should be distributed.

I understand CR is not supposed to be summed or multiplied, but if the party kills 20 CR 3 monsters, in the loot table, what would the challenge rating range be for these monetary loots?

As a tangential note: the DMG item loot tables don’t really explain which table to use “A vs B vs J, vs K…”.

How to modify a monster to be a reasonable challenge for a level 1 party?

I was preparing a one-shot adventure for my friends. It will include a fight with a weakened mind flayer and a giant heart which will be the boss of the adventure. The heart will summon gory minions (could be anything, must be suited to the gory theme).

How do I modify the mindflayer to be a reasonable challenge for a level 1 party and what official monster is the closest to a giant pulsing hearth (mabe gibbering mouther?) might still be workable. The party will include four first level player characters consisting of the folk hero fighter, cleric, wizard and a rouge from starter set character sheets. Thanks 🙂

What challenge rating should the Ebondeath stat block have been given?

In the adventure Divine Contention, there’s a creature called Ebondeath, and the adventure provides a stat block for this creature, available on D&DBeyond.

This creature’s stat block appears to be a modified version of the Ghost’s stat block. The Ghost is a CR 4 creature. Ebondeath has also been given a CR of 4, but it has:

This looks like a mistake to me, and given that some traits have been updated where others have not been, it also looks like a lazy effort without paying much attention to the details.

Ebondeath is clearly stronger than a Ghost, and therefore surely must be of a higher CR that 4. What CR should1 this stat block have been given? As a bonus question, what else should be updated to make things more consistent with the CR it should have been given (meaning the Withering Touch attack, and should the save DC of Horrifying Visage be 20 as well)?

1. Note that by “should”, I mean if it were to be derived from its stat block, not just an opinion (the word “should” often has that association, so I just wanted to make that clear).

Stack Smashing Challenge

I know what I need to do in this challenge, but I am completely lost on how to do the first crucial step. What needs to happen is that I need to overwrite the global structure variable pin_len, which will then let me overflow user_pin in mask_with_pin(), and jump to get_shell(). I’m not sure at all how to overwrite pin_len, though. To my eye, it seems like the writer is limiting the input using fgets. I would just like a nudge in the right direction. Thank you!

#include <stdio.h> #include <stdlib.h> #include <string.h>  // // Globals //  #define MAX_FIELD_LEN 32 #define BUFFER_SIZE 64  struct scratch_space {     char notepad[BUFFER_SIZE];     unsigned int pin_len; } g_scratch_space;  // // Code //  // TODO: Give a shell to users with a special hash void get_shell() {     system("/bin/sh"); }  void scramble() {     int i = 0;      // Scramble the first name in the global notepad     for (i = 0; g_scratch_space.notepad[i]; i++)         g_scratch_space.notepad[i] ^= ((0x7 << i) & 0xff);      // Tick past the null-delimiter ...     i++;      // Scramble the last name in global notepad     while (g_scratch_space.notepad[i])         g_scratch_space.notepad[i++] |= 0x42; }  void mask_with_pin() {     char user_pin[MAX_FIELD_LEN];      // Prompt the user for a PIN     printf("Enter the PIN you wish to use: ");     fgets(user_pin, g_scratch_space.pin_len, stdin);      // Scramble the global notepad with the user's PIN     for (unsigned int i = 0; i < BUFFER_SIZE; i++)         g_scratch_space.notepad[i] ^= user_pin[i % g_scratch_space.pin_len]; }  void initialize_scratch_space() {     // Initialize the notepad to all zero bytes     memset(g_scratch_space.notepad, 0, BUFFER_SIZE);      if (!g_scratch_space.pin_len)      {         printf("Enter the size of the PIN you wish to use: ");         g_scratch_space.pin_len = get_uint();     }      if (g_scratch_space.pin_len > MAX_FIELD_LEN - 1)      {         printf("[!!] PIN Size exceeds maximum value, quitting...");         exit(1);     }  }  void interface()  {     char firstname[MAX_FIELD_LEN] = {};     char lastname[MAX_FIELD_LEN] = {};     char choice = 'y';      unsigned int firstname_len = 0;     unsigned int lastname_len = 0;      // Initialize the scratchspace for the first time     initialize_scratch_space();      while (choice == 'y')      {          // Zero out our local buffers         memset(firstname, 0, MAX_FIELD_LEN);         memset(lastname, 0, MAX_FIELD_LEN);          // Get the user's first and last name.          printf("Enter your first name: ");         fgets(firstname, MAX_FIELD_LEN, stdin);          printf("Enter your last name: ");         fgets(lastname, MAX_FIELD_LEN, stdin);          // Get the length of the names         firstname_len = strnlen(firstname, MAX_FIELD_LEN);         lastname_len = strnlen(lastname, MAX_FIELD_LEN);          // Copy their first name into the notepad         memcpy(g_scratch_space.notepad, firstname, firstname_len);          // Copy their last name into the notepad, placing it after the first name         memcpy(&g_scratch_space.notepad[++firstname_len], lastname, lastname_len);          // Scramble the input         scramble();           // Check if the user wants to further scramble their hash         printf("Apply PIN Scrambling? [y/n] ");         choice = get_char();          // Apply final scramble (if applicable), and print the resulting hash         if (choice == 'y')          {             mask_with_pin();             print_hash(BUFFER_SIZE, g_scratch_space.notepad);             initialize_scratch_space();         }         else if (choice == 'n')         {             print_hash(BUFFER_SIZE, g_scratch_space.notepad);             initialize_scratch_space();         }          // Allow the user to stop generating hashes         printf("Continue generating hashes? [y/n] ");         choice = get_char();     } }  void main()  {     init_wargame();      printf("------------------------------------------------------------\n");     printf("--[ Stack Smashing Level #2 - SecureHash                    \n");     printf("------------------------------------------------------------\n");     interface();      // Exit the program / return from main } 

How does a dragon gain Challenge Rating & thereby increase their spell power?

According to the spell casting variant suggested in the Monster Manual in the True Dragon section, dragons gain a number of spells based on their charisma and their maximum level is based off of 1/3rd of their Challenge Rating. Here is a table that sums it up.

Assuming a dragon reverse extrapolated and is aware of this variant for draconic spell casting, they would seek to gain greater CR in order to cast the better spells. Take an Ancient Greens with CR 22, she needs a few more CR ‘points’ so as to gain Clone or Mighty Fortress.

Note: ALL the questions below revolve around True Dragons gaining increased Challenge Rating. If i require a separate StackExchange question for each, please let me know!

  • Does a dragon existing-residing ‘in lair’ gain CR? Does their maximum spell level ‘drop’ the moment they leave?

  • Does a leading dragon gain CR based on the number and quality of her servants, minions, slaves, toadies, &/or henchpersons (or ‘livestock-property’ in the case of Green dragons)? Would this also increase based on magic items, traps or well-defended real estate (such as castles on mountains – they have a lot of hit points and good armour class, making a dragon MUCH tougher).

  • If any True dragon becomes a Shadow dragon, how much does it gain in Challenge Rating? Why?

  • Does a vast &/or terrifying amount of knowledge equate to CR? It would mean better tactics, strategy &/or knowing weaknesses of friends and foe alike. Does a vast amount of intelligence infrastructure (i.e. ‘a powerful spy network & strike force’) equate threat and danger and thus increase CR?

  • Would gaining the spell power of an arch-mage (CR 12) add to her high-ranking CR? If so, how much?

Most dragons would want at least CR 24 for 8th level spells at the very least. Getting CR 27 would allow for the real game-changer spells like True Polymorph and Wish.

Long story short: Assuming a dragon figured out that CR = Spell power, how would such a being best gain Challenge Rating?

How come RFC7636 (PKCE) stops malicous app doing the same code challenge and get legitimate access to API

As per the RFC7636 it stops malicious apps which pretend to be legitimate apps, gaining access to OAuth2.0 protected API’s.

The flow suggests a method of having a runtime level secret which generated from the client and letting the Auth server knows it. This allows token issuer to verify the secret with auth server and grant a proper access token.

However lets assume a malicous app, as the RFC paper suggests, with a correct client_id and client_secret, it can do the same PKCE process and gain access to protected resources.

Is this RFC doesn’t meant to protect those kind of attacks or simply I’m missing something here?

What is a good way to challenge an Agonizing Blast Warlock?

In my session I have a Warlock with a Charisma score of 20 that’s been using the Agonizing Blast/Eldritch Blast Eldritch Invocation to rather spectacular results, decimating everything that I’ve thrown at the level 8 party.

At first I was pleased at the party’s success in difficult encounters, however I’ve discovered over time that the consistent, high, and nigh-uncounterable force damage of this cantrip tends to trivialize most encounters, eliminating the need for creative thinking. Combine this with a School of Evocation Wizard and I’ve found that most encounters are swiftly concluded with an initial Fireball and a final barrage of Eldritch Blasts, with any significant damage being eliminated by their druid’s healing.

Unfortunately I’ve found that my current approach to dealing with their combat effectiveness has led to increasingly volatile encounters. I’ve been forced to serve them encounters meant for significantly higher level parties, and I’ve found it difficult to find a middle ground where the party is challenged but not always at risk of being totally wiped.

Are there any creative or fun ways/creatures that the party might encounter that might specifically reduce the effectiveness of this strategy?

I should emphasize that I’m not interested in crushing my players. I simply am looking for a way to force the party out of their singular, overwhelmingly effective approach to encounters.

Bonus points if you know of a strategy that fits into a primarily undead/fiend-focused campaign.