[liberationtech] Question EFF CA Let's Encrypt
Tom Ritter
tom at ritter.vg
Wed Nov 19 09:56:02 PST 2014
On 19 November 2014 09:13, Richard Brooks <rrb at g.clemson.edu> wrote:
> Just looked at this:
>
> https://letsencrypt.org/howitworks/technology/
>
> The EFF's new CA to make things cheap and easy for
> installing certs. I like the goal.
>
> What I do not get from the description is how they
> really verify that I legitimately own the site. If
> I should manage to reroute some traffic and do
> DNS cache poisoning on a web-site address, wouldn't
> the system accept my web-site as valid? It seems like
> they are accepting the fact that you can reach the
> site using DNS information (which is not secured)
> as proof of legitimacy.
>
> Or is there something I am missing?
Well.... that's how Domain Validation certificates work today. If I
can control DNS information (MX records or WHOIS info) for google.com,
I could go get DV certs issued for it today*.
-tom
* Technically, I couldn't for google.com, because CAs have some sort
of secret list of 'high profile' domains that get more strict
requests, and google is almost certainly on it. But
unclebobsdiscounthangglidingandbbq.com would work fine.
More information about the liberationtech
mailing list