At the moment, Let's Encrypt primarily issues certificates based on insecure, authenticated HTTP-based validation of domain control.
They validate DNSSEC but the HTTP-01 method by itself is insecure and the DNS-01 method requires giving servers DNS API access which isn't good.
Conversation
Replying to
community.letsencrypt.org/t/acme-caa-val (accounturi) is a feature currently available on their staging server providing a solution.
The accounturi feature allows you to pin the ECDSA-based renewal account to provide a secure chain of trust from DNSSEC for issuing certificates via Let's Encrypt.
1
7
This feature isn't deployed on their production server yet.
It's implemented for all of the GrapheneOS domains/subdomains now and we've tested across all with the Let's Encrypt staging server.
Of course, you still trust every CA to validate CAA/DNSSEC and not be compromised.
1
6
Our public keys for all our TLS-based services are pinned across all our services via DANE TLSA records.
If clients validated DNSSEC and enforced a tiny subset of DANE (public key pins for leaf certificates) it would solve the problem of needing to trust all CAs. Fix it already.
2
10
For email, DANE TLSA is already available and working well. It's widely deployed for secure transport between email servers in a lot of Europe.
You can use internet.nl/test-mail/ to check if your provider has it for inbound connections and havedane.net for outbound.
2
8
Essential for email since without it, connections aren't authenticated and transparently fall back to plain text.
Google is against it for political reasons so their alternative for email MTA-STS which is basically HSTS, but without preloading, to enable WebPKI, but without CT.
1
7
You would think that as the primary backers of MTA-STS, Google would have a decent deployment. Gmail only sets max_age to 1 day. Leading by example.
It's a messy feature, since while it depends on DNS security, it pretends not to by making you serve a TXT file with a web server.
6
This Tweet was deleted by the Tweet author. Learn more
i don't remember what the specifics are, but they check from multiple servers distributed around the world
1
Show replies
Replying to
You do realize that uses multiple vantage points to verify, correct?
So, yes, if you're hosting provider or their ISP intercepts requests, you're screwed, but IMO, you need a new hosting provider/ISP if this ever happens.
1
It's 2 vantage points in practice. I've been fiddling with it a lot recently especially since I had to work out how to deal with it + DNS round robin.
Internet routing decisions aren't made securely. It really doesn't have to be your hosting provider / ISP or theirs doing it.
1
1
Show replies