undefined | Better HN

0 pointsiancarroll9y ago0 comments

If Let's Encrypt's chain is compromised, everyone is screwed, not just your site. If _any_ trusted CA is compromised, everyone is screwed, even if they haven't issued a certificate for your site.

There is no way to induce a vulnerability by using an incompetent or malicious CA, provided you generate your own, strong private key. Even issuing an MD5 or SHA-1 certificate cannot actively harm your visitors unless a second preimage attack is developed against the algorithm (in which case, again, everyone is screwed, not just you).

0 comments

ivraatiems9y ago

> There is no way to induce a vulnerability by using an incompetent or malicious CA, provided you generate your own, strong private key.

If OVH is doing this automatically, they're the ones generating the keys, right?

Faaak9y ago

They already have the keys either way: its a shared-hosting environment.

j / k navigate · click thread line to collapse