[liberationtech] Fwd: Question EFF CA Let's Encrypt
Gregory Maxwell
greg at xiph.org
Wed Nov 19 10:32:06 PST 2014
On Wed, Nov 19, 2014 at 3:13 PM, Richard Brooks <rrb at g.clemson.edu> wrote:
> Just looked at this:
>
> https://letsencrypt.org/howitworks/technology/
>
> The EFF's new CA to make things cheap and easy for
> installing certs. I like the goal.
>
> What I do not get from the description is how they
> really verify that I legitimately own the site. If
> I should manage to reroute some traffic and do
> DNS cache poisoning on a web-site address, wouldn't
> the system accept my web-site as valid? It seems like
> they are accepting the fact that you can reach the
> site using DNS information (which is not secured)
> as proof of legitimacy.
>
> Or is there something I am missing?
Yes, you appear to be missing that _many_ CAs are already using
"domain validation" less sophisticated than what is proposed there.
(e.g. godaddy is one example, I believe startssl is another)
E.g. you prove ownership to them by them fetching a file with a
specified name over http from a single location.
There are also CAs with special agreements like digicert will
instantly issue to cloudflare a cert for any domain which resolves to
a cloudflare IP block.
More information about the liberationtech
mailing list