Tuesday, February 13, 2018

letsencrypt.org makes everyone less secure

letsencrypt.org have taken DV (Domain Validation) certificate issuance requirements a notch down.

So, verification of domain ownership simply requires access to the server where the domain points - no domain administrative contact email verification, no registration with the site/CA required. This is very convenient, especially as the certs are also free and their installation (even their renewal) is done automatically on Apache by letsencrypt's software agent (see here), but it is also fairly insecure, which given that this is a CA that issues SSL certs acceptable by all major browsers, makes everyone less secure.

To explain, using them, an attacker that has compromised a DNS A record can also spoof the website normally under that domain WITHOUT breaking https. That cannot be good.

No comments:

Post a Comment