|
|
|
|
|
|
by burntrelish1273
3356 days ago
|
|
|
Encryption isn't any good if clients and servers can't nonrepudiate the other party. A web-of-trust overlay, which is non-authoritative, can help against most attacks... It would make more sense for an international, community-supported nonprofit to take the lead on opt-in, high-confidence identity verification of persons and companies (thorough physical and documentation checks). Issuing certs to random people without any checks or barriers at all makes it easy for crooks to obtain certs. Comodo/LE are going to have to do some basic checks or major vendors will simply block them until they do. |
|
|
Given the push for 100% HTTPS, of course scammers are going to get certificates for their sites if the cost is low enough (still higher cost than using a lock favicon, but hey). While a traditional CA might require human review to issue a cert for paypalscam.example.org, they would probably issue *.example.org, so a scammer would just have to pay a little more for the wildcard.
Since LetsEncrypt participates in certificate transparency, a benefit is that paypal can watch for all certificates issued with their name in the hostname, and check if they need to start a takedown sooner than if they wait for reports of phishing.