|
|
|
|
|
|
by basilikum
1 day ago
|
|
|
> the wiretap has full control of your server's network, then it can issue a certificate of its own. No need to compromise a CA. Setting the issuance method to something actually secure – unlike http-01 – with CAA or even just pinning your LE account does prevent this. It's just that almost no one does that. The whole model of certificate issuance relying on http challenges is pretty baffling insecure. We do it this way for adoption, http challenges are easy. Flawed https protecting against most attacks is better than plain http. But still. The whole PKI system is a crude, crippled historically grown mess. |
|
|