Hacker News new | past | comments | ask | show | jobs | submit login

To clarify, Let's Encrypt validates identity by trusting DNS resolution of a domain and then trusting a TCP/IP connection to the IP, correct?

It's good to encrypt things, but I wouldn't be too surprised if it were possible for folks to issue bad certs via them, as well.




Yes, this is called domain validation and most CAs operate like this for regular non-EV certificates. Sometimes it's an email, sometimes it's a file with certain content at a certain URL, sometimes it's a DNS record. But beyond that, no further validation is required for regular certificates.


I don't know why you were down voted. Yes, Let's Encrypt does verification by requiring a site to host a string on port 80. They discover the site via DNS, and they do NOT require DNSSEC. Thus you can absolutely trick Let's Encrypt into issuing a bad cert if you can serve them bad DNS responses.

This OCR issue with Comodo in TFA concerns WHOIS data, which may or may not be more reliable than unsigned DNS data. Regardless your point remains valid.


You can also trick practically every other CA using the same techniques.


Yes. And remember you only have to trick one of them for them all to be useless :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: