←back to thread

Let's Encrypt is 10 years old now

(letsencrypt.org)
489 points gslin | 4 comments | 20 Nov 24 06:13 UTC | HN request time: 0s | source
Show context
wannacboatmovie ◴[20 Nov 24 07:55 UTC] No.42191675[source]
Nothing makes me trust a site with my payment info more than seeing a LE or domain-validated certificate with no ownership details in the DN.
replies(3): >>42191704 #>>42192128 #>>42192826 #
1. aaomidi ◴[20 Nov 24 08:02 UTC] No.42191704[source]
The rate of misissuance of EV and OV is much higher than DV.
replies(1): >>42191748 #
2. wannacboatmovie ◴[20 Nov 24 08:13 UTC] No.42191748[source]
Source? I'm not questioning it, I'd like to know more. DV always seemed vulnerable to DNS tampering.
replies(2): >>42191943 #>>42200064 #
3. ta1243 ◴[20 Nov 24 08:47 UTC] No.42191943[source]
And EV is vulnerable to a fancy looking fax (remember them?)

Do you really check your site has an EV every single time? Especially now browsers treat them the same?

If not, how do you know someone hasn't got a DV certificate for this specific visit?

Scott Helme has a thorough takedown of them, and that was 7 years ago when they were still a thing.

https://scotthelme.co.uk/are-ev-certificates-worth-the-paper...

4. aaomidi ◴[21 Nov 24 01:24 UTC] No.42200064[source]
I’m active in the WebPKI community (you might want to check out my Substack: https://webpki.substack.com/)

EV and OV when it includes dns names still requires domain control validation anyway.

EV certs are generally manually verified. This means there’s a human factor in the middle of this process. DV certs can, and should, be fully automated.

Multi perspective validation is about to be required too: https://cabforum.org/2024/11/07/ballot-smc010-introduction-o...