← Back to context

Comment by codedokode

3 years ago

Wouldn't be surprised if this happened in Russia; but not in Europe. Also, Let's Encrypt security is a joke - they issued fake certificate without serious checking. Using unencrypted HTTP for confirmation is a vulnerability - doesn't this mean that large national ISPs can easily issue ceritificates for any site hosted within a country?

> Also, Let's Encrypt security is a joke - they issued fake certificate without serious checking. Using unencrypted HTTP for confirmation is a vulnerability

They can’t use HTTPS if you don’t have a certificate yet

  • This doesn't mean you should use unsecure methods instead and issue certificates to anyone capable to do MitM.

    • How could Letsencrypt even verify a server setup if not via DNS/HTTP? Also, verify against what? The servers are basically random strangers without identity when they first talk to LE.

      9 replies →

    • This is exactly the same as all other CA's do this.... for DV-certificates you basically place a key/special file on the webserver, or receive a verficiation code via (plaintext) email.

      For EV certs there might be more validation, but users will never see the difference between EV and DV certificates.

      2 replies →