Six day and IP address certificate options in 2025

(letsencrypt.org)

197 points SGran | 1 comments | 16 Jan 25 15:36 UTC | HN request time: 0.201s | source

Show context

likeabatterycar ◴[16 Jan 25 18:42 UTC] No.42729159[source]▶

> Our six-day certificates will not include OCSP or CRL URLs.

If someone else did this, Mozilla would be threatening to remove them from their trusted roots.

IP address certs sound like a security nightmare that could be subverted by BGP hijacking. Which is why most CAs don't issue them. Does accessing the ACME challenge from multiple endpoints adequately prevent this type of attack?

replies(3): >>42729196 #>>42729493 #>>42730032 #

crote ◴[16 Jan 25 19:52 UTC] No.42730032[source]▶

>>42729159 #

> IP address certs sound like a security nightmare that could be subverted by BGP hijacking.

The attack scenario is exactly the same as hostname certificates, which are often validated by HTTP or TLS ACME challenges.

> Does accessing the ACME challenge from multiple endpoints adequately prevent this type of attack?

Yes. You'd essentially have to MitM all traffic towards the IP for it to work, and with more and more networks rolling out BGP origin validation a global BGP hijack becomes harder and harder to pull off.

You'd still be in trouble if you expect your own ISP to be hostile, of course. Don't single-home with an ISP you don't trust, or stick with domain name certs and force DNS challenges.

replies(1): >>42731301 #

1. hedora ◴[16 Jan 25 21:43 UTC] No.42731301[source]▶

>>42730032 #

Given this weakness in ACME, I don't understand why cloud providers don't provide transparent 443 proxying by default. I guess it's security theater.

↑