At the moment, Let's Encrypt primarily issues certificates based on insecure, authenticated HTTP-based validation of domain control.
They validate DNSSEC but the HTTP-01 method by itself is insecure and the DNS-01 method requires giving servers DNS API access which isn't good.
Conversation
Replying to
You do realize that uses multiple vantage points to verify, correct?
So, yes, if you're hosting provider or their ISP intercepts requests, you're screwed, but IMO, you need a new hosting provider/ISP if this ever happens.
1
It's 2 vantage points in practice. I've been fiddling with it a lot recently especially since I had to work out how to deal with it + DNS round robin.
Internet routing decisions aren't made securely. It really doesn't have to be your hosting provider / ISP or theirs doing it.
1
1
blog.cloudflare.com/bgp-leaks-and-
The point of my thread was mostly about Let's Encrypt accounturi support (which I hope they deploy soon) and DANE TLSA.
Let's Encrypt could also make life much easier by supporting DANE TLSA instead of us needing to pin the accounturi in addition to it.
1
3
By the way, CAs aren't even required to support DNSSEC. It's highly recommended by the CAA standard, but not mandatory.
Let's Encrypt of course implements DNSSEC but it's definitely not the case overall and CAA depends on every CA actually checking it securely which kinda sucks.
There was recent drama about a CA which fairly recently was caught not enforcing CAA and seemed to do all of their security checks via humans manually checking all of the information so... yeah. Also, that CA had a bunch of sub-CAs that were basically regional Spanish goverment.
1
1