If someone MITMs the connection between the CA and the website itself, then yes.... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		mike_hearn on June 12, 2015 \| parent \| context \| favorite \| on: Let's Encrypt Overview If someone MITMs the connection between the CA and the website itself, then yes. I believe LetsEncrypt uses a variety of proxies around the world to measure the website, so there'd have to be a lot of successful simultaneous MITMs for that to work. Ultimately you have to bootstrap trust from somewhere. Perhaps in future DNSSEC can be used to solve this problem (though DNSSEC is of course itself just another PKI).

ikeboy on June 12, 2015 [–]

My understanding is that DNSSEC only proves IP. If you're in between the CA and the server, you don't care that the CA has the right IP.

xorcist on June 13, 2015 | [–]

DNSSEC authenticates DNS records. That can be IP addresses, but it could also be public keys or anything else.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact