[Mojah]

If you don't want this, you can prevent this by setting CAA DNS records on your own domain. How this works is described here: https://ma.ttias.be/caa-checking-becomes-mandatory-ssltls-ce...

You can validate if they've been configured correctly here: https://dnsspy.io/labs/caa-validator

The article is pretty strongly worded for something that isn't all that bad. Yes, they issued a certificate, but you've sort-of given them permission to do so by hosting your content with them. If they own/control the server, they can get their certs validated.

It's a pretty good example of why you'd want something as Certificate Transparency even on HTTP-only domains, to know _when_ someone issues a certificate without you knowing about it. I use Oh Dear! app for that feature: https://ohdearapp.com/

[detaro]

If you recommend your own (especially paid) services, please mention that they are yours.

[lma21]

a completely honest question, what's wrong with recommending a product without mentioning if we're affiliated or not with that product?

[detaro]

It's advertising misleadingly pretending to be not-advertising. If you have a potential motive apart from "I genuinely believe this is the best recommendation I can give you" for making a recommendation, you probably should disclose that. Especially in a community like HN, where talking about your own stuff is somewhere between accepted and encouraged, I can't think of good reasons not to do it.

[lma21]

Thanks for this insight! Now i see the difference and where bias could play a role when recommending a product in case we're affiliated with. In fact, I see this widely used only in the HN community.

[move-on-by]

> you can prevent this by setting CAA DNS records on your own domain

Well this is interesting, I already have a CAA DNS record on my root domain, but of course its also set to 'letsencrypt.org' since that is what I use on my root domain. Although I don't guess it matters since its on the root and not the subdomain

Edit: Actually, looks like a CAA record on the root domain will also limit subdomains. So, although I already had a CAA record setup, looks like this new Github feature will work as expected when it rolls out to my account without any changes since I was already using letsencrypt

[web007]

If your DNS host supports it (Route53 does), you can set a wildcard CAA record with no valid issuers that will do what you want.

Bare -> LE delegation WWW -> explicit LE delegation * -> no delegations, and will override "bare" since resolution walks up the domain tree.

[suixo]

I mention CAA DNS records in the end of the post, but unfortunately the last time I checked my registrar did not offer the possibility of creating these records... :(

Oh Dear! looks really interesting (though I won't pay for monitoring my personal blog).

I am not sure I fully understand your HTTP-only remark, since how the communication is made (HTTP-only, HTTPS, IMAP, etc.) is not related on how the certificate is generated (which implies CT).

[icebraining]

CertSpotter is a free service and open source project for monitoring CT logs: https://sslmate.com/certspotter/

(I'm not affiliated)