Hacker News new | past | comments | ask | show | jobs | submit login

Would this affect certificate-validating clients doing DNS-over-HTTPS to 1.1.1.1 — doesn’t it have an ipAddress certificate and demand HTTPS resolution only?



They use a named certificate, validated against the standard CAs. Unless the hijackers were able to get a certificate with the name 'cloudflare-dns.com.' then the TLS session would fail.

https://developers.cloudflare.com/1.1.1.1/dns-over-tls/


Well, if you control the host behind the IP, you could have any CA issue a challenge, and successfully pass it (e.g. if Let's encrypt uses the erroneous routes).

So no. The only thing protecting you would be to have the expected hash of the certificate you expect to see (TOFU - Trust on First use, though you're screwed if you didn't contact 1.1.1.1 before the incident!).


Doesn’t LE use their own resolvers?

EDIT: https://community.letsencrypt.org/t/where-does-letsencrypt-r...


Is there a CAA equivalent for ARIN assignments?



Thank you for pointing this out. This is exactly what I’d hoped might exist someday.


I assume you’re looking for: https://tools.ietf.org/html/bcp38


Nope, that’s not what I’m looking for at all.


RPKI, but it's barely used


This is currently used to sign ROA. A rogue actor can easily work around that by including the original AS in the AS path of the announce.


Nope, that does not cover certificate issuance for IP addresses in that range.


For dnscrypt-proxy, definitely not.

In addition to a signature of the parent cert, the DNS stamp for Cloudflare DNS says that validation must be done against dns.cloudflare.com so this would require getting a certificate for cloudflare.com.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: