I don't know why you were down voted. Yes, Let's Encrypt does verification by re... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		AndyMcConachie on Oct 21, 2016 \| parent \| context \| favorite \| on: CA Comodo used broken OCR and issued certificates ... I don't know why you were down voted. Yes, Let's Encrypt does verification by requiring a site to host a string on port 80. They discover the site via DNS, and they do NOT require DNSSEC. Thus you can absolutely trick Let's Encrypt into issuing a bad cert if you can serve them bad DNS responses. This OCR issue with Comodo in TFA concerns WHOIS data, which may or may not be more reliable than unsigned DNS data. Regardless your point remains valid.

tokenizerrr on Oct 21, 2016 [–]

You can also trick practically every other CA using the same techniques.

AndyMcConachie on Oct 21, 2016 | [–]

Yes. And remember you only have to trick one of them for them all to be useless :)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact