Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
xxmarkuski 15 hours ago

I have heard, but do not aggree, that Let‘s Encrypt is risky, because phishing sites use it. It’s implied that other CAs do checks against it.

selcuka 9 hours ago | parent | next [-]

An SSL provider once refused to sell me a certificate because the domain name had the word "Windows" in it.

anonymars 15 hours ago | parent | prev [-]

I will say, I have never before this season seen so many seemingly-legit fake web stores. All with their little lock icons in the address bar. I assume LLMs helped kick it into overdrive too

array_key_first 12 hours ago | parent [-]

Conflating transport-layer encryption with authenticity is the problem. The former should always be standard, the latter is unrelated and IMO needs a different mechanism.

kbolino 10 hours ago | parent [-]

Absent widespread adoption of DNSSEC, which has just not happened at all, I don't see any alternative.

The authentication must be done before the encryption parameters are negotiated, in order to protect against man-in-the-middle attacks. There must be some continuity between the two as well, since the authenticated party (both parties can be authenticated, but only one has to be) must digitally sign its parameters.

Any competing authentication scheme would therefore have to operate at a lower layer with even more fundamental infrastructure, and the only thing we've really got that fits the bill is DNS.

EDIT: A standard exists for this already, it's called DANE, though it has very little support: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...

anonymars 8 hours ago | parent [-]

This applies to grandparent too (for the record I largely agree with them) but the issue isn't just "authenticity" but "identification" -- there's no real attestation about who is in on the other end of the site. This identity was once at least somewhat part of the certificate itself.

kbolino 8 hours ago | parent [-]

Yes, it is fair to say that domain names are not the sum total of identity. However, the EV certificate experience showed that, at least in terms of WebPKI and the open Internet, there really isn't anything better than domains yet.

We have clear and seemingly easy go-to examples like proving that yes, this is THE Microsoft, and not a shady fly-by-night spoof in a non-extradition territory, but apart from the headline companies--who as of late seem to like changing their names anyway--this actually isn't easy at all.

Walled gardens like app stores have different trade-offs, admittedly.