At the moment, Let's Encrypt primarily issues certificates based on insecure, authenticated HTTP-based validation of domain control.
They validate DNSSEC but the HTTP-01 method by itself is insecure and the DNS-01 method requires giving servers DNS API access which isn't good.
Conversation
Replying to
You do realize that uses multiple vantage points to verify, correct?
So, yes, if you're hosting provider or their ISP intercepts requests, you're screwed, but IMO, you need a new hosting provider/ISP if this ever happens.
1
It's 2 vantage points in practice. I've been fiddling with it a lot recently especially since I had to work out how to deal with it + DNS round robin.
Internet routing decisions aren't made securely. It really doesn't have to be your hosting provider / ISP or theirs doing it.
blog.cloudflare.com/bgp-leaks-and-
The point of my thread was mostly about Let's Encrypt accounturi support (which I hope they deploy soon) and DANE TLSA.
Let's Encrypt could also make life much easier by supporting DANE TLSA instead of us needing to pin the accounturi in addition to it.
1
3
By the way, CAs aren't even required to support DNSSEC. It's highly recommended by the CAA standard, but not mandatory.
Let's Encrypt of course implements DNSSEC but it's definitely not the case overall and CAA depends on every CA actually checking it securely which kinda sucks.
1
1
Show replies