Lets Encrypt Is Insecure

2 pointscrapsalot10y ago2 comments

Lets Encrypt has recently been the target of a few news stories. A brief review of Lets Encrypt documentation highlights the basic problem with Lets Encrypt is a reliance on the ACME protocol's gaping security hole of equating DNS A record server IP addresses with domain ownership.

It's very clear that if a domain has a wildcard host record that Lets Encrypt will automatically enable any root user of DNS A record IP address host to generate an near unlimited number of subdomain certs.

All these subdomain certs will be viewed as valid certs by most browsers because of the IdenTrust cross cert.

Since control of a given host included in a DNS A record does not equate to domain ownership, Lets Encrypt certs should not be recognized at the same trustworthiness of DV certs issued by a standard CA.

Why should the Internet trust Lets Encrypt at the same level as DV certs?

2 comments

0x010y ago

If you don't trust the admins of whatever server is behind an IP address to represent your domain, then you shouldn't add that IP address to your domain. I don't see a problem here.

ChristianBach10y ago

Because just about any other CA also offer the domain validated certificates through the same kind of validation process?

j / k navigate · click thread line to collapse