← Back to context

Comment by stefan_

3 years ago

They don't need to, they controlled the domain IP and trivially got the certificates. This is not a novel technique, see this Twitter thread:

https://twitter.com/billmarczak/status/1710348549794185279

We need to go back to snail mail or something, this whole .well-known thing just stinks. We added layers on top like CT and while sound ideas, they don't tend to do anything unless you are Google or FB.

> Yes, the fraudulent certificate is memorialized in Certificate Transparency (CT) databases (the indelible, publicly accessible records of ~all issued TLS certs). But, most website owners don't know what CT is, have no idea how to check it, and wouldn’t know what the results meant