Hacker News new | ask | show | jobs
by 0xb100db1ade 2785 days ago
> An attacker could pretty easily obtain a valid Let's Encrypt certificate using a BGP hijack.

Whoah, I have never realized this.

Is there some way to include some key in the DNS entry or something to mitigate IP hijacking?

Does HSTS protect against this?
1 comments
r1ch 2785 days ago
Let's Encrypt is already taking steps to mitigate this. BGP hijacking is a noisy event - it should be possible to see that routes have changed recently and deny issuance. They can also perform challenges from multiple geos / networks, so that if there's a disagreement among routes, the challenge fails.

More info: https://secure-certificates.princeton.edu/

link