Hacker News new | past | comments | ask | show | jobs | submit login

Warning! If you do this, anyone might be able to create HTTPS certificates for your domain name!

A lot of certification authorities will allow you to get a certificate for example.com if you can prove that you can reply to an email sent to an email address @example.com. If you configure an MX record pointing to the mailinator MTAs, then anybody can request a cert and ask to validate domain ownership by contacting whatever@example.com, and can subsequently browse the whatever@ mailbox on mailinator to read and reply to the confirmation email.




Are you skipping over something in that explanation about which email(s) one must be able to read? Because the way you said it makes it sound as if anyone could make fake certs for hotmail, gmail, etc. And that can't be right... I hope.


This is partially right(!)

A security researcher once obtained a certificate for Microsoft's live.com domain by registering an email account sslcertificates@live.com and using it to reply to the CA's verification email.

http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysi...


Presumably something like "root" or "webmaster," but those aren't illegal on mailinator: http://mailinator.com/maildir.jsp?email=webmaster&x=0...


You're right, but I was just proposing to use one of your own domain, not your real, business, holy domain. You can register a new one for less than 10$/year, or you can just use a free third level subdomain (like trashbin.example.com)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: