LetsEncrypt

💬 This is a comment on DNS-PERSIST-01: A New Model for DNS-based Challenge Validation The Source of Truth Connecting to a website? Sending an email? Which server1 you reach depends on DNS records. And CAA or SSHFP records establish trust for public key cryptographic protocols. DNS records are the source of truth. DNS API Tokens Currently, wildcard certificates with Let’s Encrypt require to write an arbitrary string in a DNS record, for every single certificate renewed or issued. In practice, this often involves sharing a write API token to change the DNS. This is risky: should an attacker obtain the token, they can do a lot of damage: hijack traffic (and get valid certificates for it), receive and send emails using the corresponding domain… ...

💬 This is a comment on 6-day and IP Address Certificates are Generally Available by Matthew McPherrin (via) Let’s Encrypt has just announced that short-lived1 certificates are generally available. They can also be used for IP addresses, which is especially useful for DNS over HTTPS. Those certificates could be smaller in the future, if information for validity checks is omitted. However, for now at least, these certificates still include revocation information. ...

A Man-in-the-Middle Attack I host my own instance of miniflux, an RSS reader. I do it as a hobby, I enjoy the learning opportunities that come along the way. One such opportunity presented itself in November 2023. Back then, a Man-in-the-Middle attack was reported against jabber.ru. You can go read the full details on that blog post, but let’s go over its main aspects. Without the attacker, a client connects directly to the jabber.ru server over TLS: ...