Comment by blueflow
3 years ago
How could Letsencrypt even verify a server setup if not via DNS/HTTP? Also, verify against what? The servers are basically random strangers without identity when they first talk to LE.
3 years ago
How could Letsencrypt even verify a server setup if not via DNS/HTTP? Also, verify against what? The servers are basically random strangers without identity when they first talk to LE.
In this case there has been a valid certificate for the site; this alone should raise suspicion.
Also, if they cannot do secure validation then maybe they should stop issuing certificates for sites that already have a proper certificate.
This happens all the time when a server is rebuilt from scratch - same cert using a different keypair.
So should we conclude that SSL cert infrastructure is completely compromised and now any country can issue fake certificates?
5 replies →
Over the DNS challenge, of course.