←back to thread

Six day and IP address certificate options in 2025

(letsencrypt.org)
197 points SGran | 1 comments | 16 Jan 25 15:36 UTC | HN request time: 0.209s | source
Show context
everfrustrated ◴[16 Jan 25 20:03 UTC] No.42730174[source]
It feels like there's something of an attack vector here with cloud providers who lease IPs for hours at a time.

1. Lease IP

2. Obtain cert (verify can receive traffic to IP on port 80)

3. Give IP back

4. Cloud provider gives IP to another customer

5. Bgp attack IP with 6 days.

While I support the idea of IP certs I do wonder how thought through this is and what the future consequences for security are.

I agree with another commenter here who said this should be limited to IPs behind RPKI.

Possibly also needs a mechanism for IP owners to clamp the cert time to be below their IP re-lease policy. As an example a provider like AWS could require max certs of (say) 6 hours and ensure any returned IPs stay unleased for 6 hours before reissuing them)

replies(3): >>42730236 #>>42730451 #>>42731021 #
1. phasmantistes ◴[16 Jan 25 21:17 UTC] No.42731021[source]
This is exactly why the LE IP certs will be limited to 6 days: this exact attack is possible today against any IP address cert, and such certs in general are allowed to have lifetimes up to 398 days. LE isn't comfortable with that situation, so IP certs will have the shortest feasible lifetimes.