← Back to context

Comment by sigio

3 years ago

This is exactly the same as all other CA's do this.... for DV-certificates you basically place a key/special file on the webserver, or receive a verficiation code via (plaintext) email.

For EV certs there might be more validation, but users will never see the difference between EV and DV certificates.

So SSL certificates are completely unreliable; we should only wait until Russian or Chinese comrades find a good use for this attack (e.g. temporary redirecting Western traffic using BGP to validate a Let's Encrypt's cert for Western site).

  • yes? this is a well-known problem, which is why CAA-ACME etc and certificate transparency logs exist.