On Tue, Apr 16, 2024 at 10:30 PM Kaj Niemi <kajtzu@basen.net> wrote:
Hi,
Both RIPE and their CDN seem to use DNSSEC.
Indeed, the CDN utilizes LE as the issuing CA. The LE does publish the list of issued certificates as part of Certificate Transparency, as far as I know the list is public and can be consumed by anyone.
Is there some specific concern you're thinking of?
Kaj
Yes, there is a simple way for circumventing the issuing procedure of LE certificates when an actor is able to act as man-in-the-middle, see [1] for example. Theoretical assumptions of the same kind of attack circulated around security-related communities since beginning of LE deployment and it's quite strange to see the org with annual budget of tens on M$ using zero-liability CA for the primary web resource. 1. https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-cer...