Comment by ItsABytecode

3 years ago

> Also, Let's Encrypt security is a joke - they issued fake certificate without serious checking. Using unencrypted HTTP for confirmation is a vulnerability

They can’t use HTTPS if you don’t have a certificate yet

This doesn't mean you should use unsecure methods instead and issue certificates to anyone capable to do MitM.

  • How could Letsencrypt even verify a server setup if not via DNS/HTTP? Also, verify against what? The servers are basically random strangers without identity when they first talk to LE.

    • In this case there has been a valid certificate for the site; this alone should raise suspicion.

      Also, if they cannot do secure validation then maybe they should stop issuing certificates for sites that already have a proper certificate.

      7 replies →

  • This is exactly the same as all other CA's do this.... for DV-certificates you basically place a key/special file on the webserver, or receive a verficiation code via (plaintext) email.

    For EV certs there might be more validation, but users will never see the difference between EV and DV certificates.

    • So SSL certificates are completely unreliable; we should only wait until Russian or Chinese comrades find a good use for this attack (e.g. temporary redirecting Western traffic using BGP to validate a Let's Encrypt's cert for Western site).

      1 reply →