[Cryptography] letsencrypt.org

[Viktor Dukhovni]

> On Sep 13, 2017, at 4:55 PM, Perry E. Metzger <perry at piermont.com> wrote:
> 
> Note my security caveat isn't about the certificates being somehow
> less good than other certificates. It is that someone gaining
> temporary control of a server for your domain is in a good position to
> also get a cert for your domain signed. Of course, absent a system
> like Certificate Transparency, or cert pinning, that's the case
> anyway, so perhaps I'm being paranoid.

Let's Encrypt just makes it ever more clear that the WebPKI (a few
EV certificates aside along with the few users who notice the
difference) is and has been a leap of faith by the DV-issuing CA.

Thus certificate issuance is fundamentally vulnerable to MiTM
attacks on the CA by folks in position to launch active attacks
on the network backbone.  You're really only protected from
WiFi and similar attacks at cafes, airports, ... by attackers
who can MiTM the end-users network connection.

With BGP attacks and the like, a determined adversary will
be able to get a DV certificate for most domains from some
DV-issuing CA.

I tried to suggest at a recent IETF meeting that CAs should
use DNSSEC-validating resolvers when querying CAA records,
to reduce this MiTM risk, but got rather strange pushback
from PHB on behalf of Comodo.  FWIW, Let's Encrypt does in
fact do validated DNS resolution.

Given their reasonably clear and transparent practices, I'd
be pleased if they became the *only* non-EV CA on the market.
The price is right, and the security is about as good as it
gets with DV.  The commercial CAs can then focus on properly
verifying the minority of customers who need EV certs.

-- 
	Viktor.