←back to thread

Certification Authority/Browser Forum adopts new security standards

(security.googleblog.com)
62 points terminalbraid | 4 comments | 31 Mar 25 09:56 UTC | HN request time: 0s | source
Show context
tptacek ◴[02 Apr 25 18:07 UTC] No.43559516[source]
Notably, I think LetsEncrypt has been MPIC for some time now.
replies(1): >>43560919 #
1. schoen ◴[02 Apr 25 20:04 UTC] No.43560919[source]
Yep, they started in 2020: https://letsencrypt.org/2020/02/19/multi-perspective-validat...

This has been challenging for some subscribers who are unaccustomed to receiving any legitimate site traffic from foreign countries.

https://community.letsencrypt.org/t/multi-perspective-valida...

Now that it's a requirement for the whole web PKI, it will be interesting to see the pressure against blanket geoblocking increase. (Or maybe more web hosts will make it easier to use DNS challenge methods to get certificates.)

replies(1): >>43562887 #
2. ocdtrekkie ◴[02 Apr 25 23:14 UTC] No.43562887[source]
Geoblocking is one of the most drastically effective ways someone can reduce their attack surface. I'd give up encrypting traffic entirely before I'd give up geoblocking.
replies(1): >>43563283 #
3. tptacek ◴[03 Apr 25 00:04 UTC] No.43563283[source]
You don't have to give up geoblocking, right? You only need enough "unblocked" surface to resolve domain ownership challenges.
replies(1): >>43563444 #
4. ocdtrekkie ◴[03 Apr 25 00:34 UTC] No.43563444{3}[source]
Sure, and I think generally speaking this is also not a hard problem: A CA can advertise the networks it expects to be able to validate your control from, and you can also choose to selectively allow access for domain validation purposes to those networks. The modern firewall is quite discriminatory.

I just find a constant frustration that geoblocking is often discussed as "bad" when... if you aren't running a global service, is an incredibly powerful tool. Even among global services, the hesitation to intelligently use risk-based authentication strategies remains deeply frustrating... there's no reason an account which has never been accessed outside the United States should be permitted to suddenly log in from Nigeria. Credit card companies figured this stuff out decades ago.