Comment by codedokode
3 years ago
Wouldn't be surprised if this happened in Russia; but not in Europe. Also, Let's Encrypt security is a joke - they issued fake certificate without serious checking. Using unencrypted HTTP for confirmation is a vulnerability - doesn't this mean that large national ISPs can easily issue ceritificates for any site hosted within a country?
> Also, Let's Encrypt security is a joke - they issued fake certificate without serious checking. Using unencrypted HTTP for confirmation is a vulnerability
They can’t use HTTPS if you don’t have a certificate yet
This doesn't mean you should use unsecure methods instead and issue certificates to anyone capable to do MitM.
How could Letsencrypt even verify a server setup if not via DNS/HTTP? Also, verify against what? The servers are basically random strangers without identity when they first talk to LE.
9 replies →
This is exactly the same as all other CA's do this.... for DV-certificates you basically place a key/special file on the webserver, or receive a verficiation code via (plaintext) email.
For EV certs there might be more validation, but users will never see the difference between EV and DV certificates.
2 replies →
Police raiding / intercepting / modifying servers does happen here too. Last big case: https://www.bleepingcomputer.com/news/security/encrochat-tak...