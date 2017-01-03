Hacker News new | comments | show | ask | jobs | submit login
Let's Encrypt appears to issue a certificate for a domain that doesn't exist (twitter.com)
Summary:

* Domain apple-id-2.com is not currently registered

* Domain apple-id-2.com has (apparently) never been registered

* LetsEncrypt, on 2017-01-03, issued a valid certificate for apple-id-2.com

Since we can't know how validation was successfully performed, all we can do is speculate. Someone from LetsEncrypt will have to investigate and let us know. Fortunately, they should have very detailed audit logs for exactly this purpose.

Sounds like a bug. Under normal circumstances the acme would not exist and could not be resolved, and therefore no cert should be created.

I wonder if maybe someone had that domain and then deleted it. Dynadot(and probably others) for example lets you delete domains for a partial refund within a certain limited amount of time - which I think is a neat feature.

I know there are historical whois sites, but as far as I know unless someone in the past checked for the domain with their service, they'd have no record of it otherwise. So maybe that would explain how it has a cert for a domain that currently does not exist and appears to never been registered.

That might be possible. A lot of these "domain info" sites receive a daily feed from the registries (i.e. Verisign) that include all domain registrations, renewals, etc., so I would think they'd have it in their database even if that happened.

My guess is they had a localised DNS resolution failure for the domain and some how hit a web server, or something else, that ticked all the boxes and granted the certificate. A long shot, though.

If it's possible to tick all the boxes by acciddent, then the process is utterly broken.

As someone who doesn't know much about the inner workings of the whole TLS stack, why is this surprising? I know in the past I've self-signed certificates for domains that only existed on my LAN. Why couldn't that be the case here? Why shouldn't a central signing authority issue certificates for people's intranets?

The answer is the same as the reason x509 "works" at all. The CAs don't issue invalid certs because if they did, they wouldn't be trusted anymore.

In terms of technical limitations, nothing stops any CA from issuing any cert they want. It's the business consequences that stop them from doing so.

If Let's Encrypt wants to keep themselves on the trusted-root-CA list of Windows, Chrome, MacOS, et. al., they need to keep their noses clean.

I could sign a certificate for 'johndoe.com' without proper verification or I am using it in my local intranet. Let's Encrypt requires external verification to ensure certificates like this one and other miscellaneous certificates are issued.

Domain tasting? Get a cert for it, then it expires?

