undefined | Better HN

0 pointsfoo1018y ago0 comments

Consider the scenario where I own a domain example.com for a year. Just a day before its expiry or just a day before I sell the domain to someone else, I obtain a certificate for it from letsencrypt via ACME protocol.

A week or month from now, the new owner of the domain sets up a HTTPs website. With the old certificate I have, I can now launch an MITM attack on the new owner for about 2-3 months!

0 comments

teraflop8y ago

You can perform exactly the same attack with a 1-year certificate from any other CA.

dastbe8y ago

The answer to this is ultimately ratcheting down cert validity duration. As more people automate renewals we can get to the point where certs are valid for maybe days at a time.

j / k navigate · click thread line to collapse

0 pointsfoo1018y ago0 comments

A week or month from now, the new owner of the domain sets up a HTTPs website. With the old certificate I have, I can now launch an MITM attack on the new owner for about 2-3 months!

0 comments

teraflop8y ago

You can perform exactly the same attack with a 1-year certificate from any other CA.

dastbe8y ago

The answer to this is ultimately ratcheting down cert validity duration. As more people automate renewals we can get to the point where certs are valid for maybe days at a time.

j / k navigate · click thread line to collapse