←back to thread

Six day and IP address certificate options in 2025

(letsencrypt.org)
197 points SGran | 2 comments | 16 Jan 25 15:36 UTC | HN request time: 0s | source
Show context
everfrustrated ◴[16 Jan 25 20:03 UTC] No.42730174[source]
It feels like there's something of an attack vector here with cloud providers who lease IPs for hours at a time.

1. Lease IP

2. Obtain cert (verify can receive traffic to IP on port 80)

3. Give IP back

4. Cloud provider gives IP to another customer

5. Bgp attack IP with 6 days.

While I support the idea of IP certs I do wonder how thought through this is and what the future consequences for security are.

I agree with another commenter here who said this should be limited to IPs behind RPKI.

Possibly also needs a mechanism for IP owners to clamp the cert time to be below their IP re-lease policy. As an example a provider like AWS could require max certs of (say) 6 hours and ensure any returned IPs stay unleased for 6 hours before reissuing them)

replies(3): >>42730236 #>>42730451 #>>42731021 #
1. Retr0id ◴[16 Jan 25 20:08 UTC] No.42730236[source]
You can do the same BGP attacks with regular domain certs, though. If you hijack the IP that a domain resolves to, you can answer HTTP-01 challenges.
replies(1): >>42730273 #
2. ◴[16 Jan 25 20:12 UTC] No.42730273[source]