Having a CAA record and pointing to a CA like Let's Encrypt that uses domain validation from multiple vantage points on the Internet is a useful idea and raises the bar for an adversary. I should point out that BGP…
Indeed, your comment illustrates the importance of proactively strengthening the domain validation protocol used for issuing digital certificates. Our work with Let's Encrypt demonstrated the feasibility of validating…
Indeed, a number of internet services and applications are vulnerable to BGP hijacking and interception attacks, including TLS/digital certificates, anonymity systems such as Tor, and cryptocurrencies such as Bitcoin.…
For readers interested in understanding the technical details about potential BGP attacks on domain validation, which serve as a motivation for Let's Encrypt's multi-perspective validation deployment, see the following…
Indeed, the self-signed cert idea doesn't work in this context.
If the domain is hosted on a /24, then more specific routes will be filtered out by default in most ASes. Also, with the increasing adoption of RPKI, in conjunction with its maxlength option, more specific attacks will…
Having a CAA record and pointing to a CA like Let's Encrypt that uses domain validation from multiple vantage points on the Internet is a useful idea and raises the bar for an adversary. I should point out that BGP…
Indeed, your comment illustrates the importance of proactively strengthening the domain validation protocol used for issuing digital certificates. Our work with Let's Encrypt demonstrated the feasibility of validating…
Indeed, a number of internet services and applications are vulnerable to BGP hijacking and interception attacks, including TLS/digital certificates, anonymity systems such as Tor, and cryptocurrencies such as Bitcoin.…
For readers interested in understanding the technical details about potential BGP attacks on domain validation, which serve as a motivation for Let's Encrypt's multi-perspective validation deployment, see the following…
Indeed, the self-signed cert idea doesn't work in this context.
If the domain is hosted on a /24, then more specific routes will be filtered out by default in most ASes. Also, with the increasing adoption of RPKI, in conjunction with its maxlength option, more specific attacks will…