undefined | Better HN

0 pointsRyanZAG10y ago0 comments

Agreed - but by making this a fully automated system you open up an easily testable and repeatable source of attack.

I don't think "You have to trust something" is really right in this case, as you're basically saying "You have to trust every single router between letsencrypt and every server on the internet".

I guess it's correct that with most current CAs now automating a lot of this with minimal manual checks, this is probably happening already? I wonder how many amazon.com valid certs are floating around the place? (Or more likely, smaller sites where people wouldn't be checking if the cert is really valid). The original point behind the costs charged by Thawte et al was that they would actually validate that you're who you say you are. I guess that ship has sailed though.

0 comments

superuser210y ago

All mainstream CAs issue certs through a fully automated process, and have for at least a decade. Generally you are required to receive emails sent to the administrative contact in WHOIS, put something in a DNS TXT record, place or file they give you at a URL they give you, or some combination of the above.

There are Extended Validation (EV) certs where a human verifies your ownership of a legal entity. Chrome presents these as a big green bar with the name of the corporation in the URL bar. Most certs (including Amazon's) are not EV certs.

j / k navigate · click thread line to collapse

0 pointsRyanZAG10y ago0 comments

Agreed - but by making this a fully automated system you open up an easily testable and repeatable source of attack.

I don't think "You have to trust something" is really right in this case, as you're basically saying "You have to trust every single router between letsencrypt and every server on the internet".

0 comments

superuser210y ago

j / k navigate · click thread line to collapse