Before clicking the link or seeing the domain, I was expecting either a rehashed (or if I was optimistic: a novel) argument for why what LE does isn’t actually validating domains. Philosophically or technically. For example: they don’t validate you’re going to the domain you intend on visiting. And 500 words on why that makes them useless. (I don’t agree, but that’s what I was expecting)
I worked for a brand that was heavily impacted by phishing sites that used LE certs. It was annoying, but honestly I wasn’t sure what LE couple do about it. If you deny creating a cert with Gmail in the domain, people will just use something like gmall instead.
Many fishing attacks could be thwarted if there was a more manual process for certificate issuance, CAs were obligated to KYC and verify/monitor applicants stringently and lost their license for malpractice, etc. Web would be a safer place, but the cost is higher barriers for entry, and attackers would just focus on stealing the actual certs.
Some would say being able to communicate privately/securely is irrelevant to whether you should trust whoever you’re communicating with, but then someone could argue that in practice the two get conflated all the time and the aura of the channel colours the counterparty.
I notice that there are two most common categories of non-techie users: those for whom being able to visit a website without loud warnings is enough to auto-trust it, and those who by default distrust anything that has to do with anything on the Web (and the latter are unfortunately correct). You can’t expect people to perform sophisticated threat detection at all times and feel good about their life at the same time.
Already fixed.
I'm hoping they add free S/MIME certs one day. The only free ones come with CA generated private keys these days. Yuck.
Why did I have to learn about this today :(
gpg is pretty cool
Would love to read the post-mortem!
One of their certs expired probably. Happens to the best of us!
Before clicking the link or seeing the domain, I was expecting either a rehashed (or if I was optimistic: a novel) argument for why what LE does isn’t actually validating domains. Philosophically or technically. For example: they don’t validate you’re going to the domain you intend on visiting. And 500 words on why that makes them useless. (I don’t agree, but that’s what I was expecting)
I worked for a brand that was heavily impacted by phishing sites that used LE certs. It was annoying, but honestly I wasn’t sure what LE couple do about it. If you deny creating a cert with Gmail in the domain, people will just use something like gmall instead.
Many fishing attacks could be thwarted if there was a more manual process for certificate issuance, CAs were obligated to KYC and verify/monitor applicants stringently and lost their license for malpractice, etc. Web would be a safer place, but the cost is higher barriers for entry, and attackers would just focus on stealing the actual certs.
Some would say being able to communicate privately/securely is irrelevant to whether you should trust whoever you’re communicating with, but then someone could argue that in practice the two get conflated all the time and the aura of the channel colours the counterparty.
I notice that there are two most common categories of non-techie users: those for whom being able to visit a website without loud warnings is enough to auto-trust it, and those who by default distrust anything that has to do with anything on the Web (and the latter are unfortunately correct). You can’t expect people to perform sophisticated threat detection at all times and feel good about their life at the same time.
Exactly. “Unsolvable” is a strong word, but … how wrong is it? Shrug.
Passkeys. The answer is passkeys.