|
|
|
|
|
|
by throw0101d
594 days ago
|
|
|
> […] but they can't tamper/read it, or is there something I'm missing? You could redirect traffic temporarily to get a Let's Encrypt (ACME) certificate issued and then use it to pretend to be some important site. Redirect attacks have been done in the past: > Among all the scams and thievery in the bitcoin economy, one recent hack sets a new bar for brazenness: Stealing an entire chunk of raw internet traffic from more than a dozen internet service providers, then shaking it down for as many bitcoins as possible. * https://archive.is/http://www.wired.com/2014/08/isp-bitcoin-... This type of attack is why LE does "Multi-Perspective Validation": > A potential issue with this process is that if a network attacker can hijack or redirect network traffic along the validation path (for the challenge request, or associated DNS queries), then the attacker can trick a CA into incorrectly issuing a certificate. This is precisely what a research team from Princeton demonstrated can be done with an attack on BGP. Such attacks are rare today, but we are concerned that these attacks will become more numerous in the future. * https://letsencrypt.org/2020/02/19/multi-perspective-validat... |
|
|