At the moment, Let's Encrypt primarily issues certificates based on insecure, authenticated HTTP-based validation of domain control.
They validate DNSSEC but the HTTP-01 method by itself is insecure and the DNS-01 method requires giving servers DNS API access which isn't good.
Conversation
This Tweet was deleted by the Tweet author. Learn more
i don't remember what the specifics are, but they check from multiple servers distributed around the world
1
oh, their checks aren't as diverse as i thought but it's a good start i guess letsencrypt.org/2020/02/19/mul
1
They appear to consistently check from 2 perspectives. If there's an attacker with a MITM to both locations, there's currently no way to defend against them getting a Let's Encrypt certificate until they ship the nice accounturi feature. DNSSEC + accounturi gives secure issuance.
This Tweet was deleted by the Tweet author. Learn more
WebPKI is build on poorly verifying domain control based on DNS. WebPKI depends on DNS security. Removing CAs from the picture and using DANE TLSA doesn't require trusting any additional parties but rather reduces trust to the entities in control of naming, who you trust anyway.
1
2
Show replies