Comment by ItsABytecode
3 years ago
> Also, Let's Encrypt security is a joke - they issued fake certificate without serious checking. Using unencrypted HTTP for confirmation is a vulnerability
They can’t use HTTPS if you don’t have a certificate yet
3 years ago
> Also, Let's Encrypt security is a joke - they issued fake certificate without serious checking. Using unencrypted HTTP for confirmation is a vulnerability
They can’t use HTTPS if you don’t have a certificate yet
This doesn't mean you should use unsecure methods instead and issue certificates to anyone capable to do MitM.
How could Letsencrypt even verify a server setup if not via DNS/HTTP? Also, verify against what? The servers are basically random strangers without identity when they first talk to LE.
In this case there has been a valid certificate for the site; this alone should raise suspicion.
Also, if they cannot do secure validation then maybe they should stop issuing certificates for sites that already have a proper certificate.
7 replies →
Over the DNS challenge, of course.
This is exactly the same as all other CA's do this.... for DV-certificates you basically place a key/special file on the webserver, or receive a verficiation code via (plaintext) email.
For EV certs there might be more validation, but users will never see the difference between EV and DV certificates.
So SSL certificates are completely unreliable; we should only wait until Russian or Chinese comrades find a good use for this attack (e.g. temporary redirecting Western traffic using BGP to validate a Let's Encrypt's cert for Western site).
1 reply →