/top/
/new/
/best/
/ask/
/show/
/job/
^
slacker news
login
about
←back to thread
Getting ready to issue IP address certificates
(community.letsencrypt.org)
314 points
Bogdanp
| 2 comments |
25 Jun 25 16:21 UTC
|
HN request time: 0.523s
|
source
Show context
msgodel
◴[
25 Jun 25 19:15 UTC
]
No.
44380911
[source]
▶
>>44379034 (OP)
#
This is incredibly dumb. The three way handshake and initial key exchange is your certificate.
replies(2):
>>44381814
#
>>44382226
#
Dylan16807
◴[
25 Jun 25 22:05 UTC
]
No.
44382226
[source]
▶
>>44380911
#
And this protects you from a hostile network how?
replies(1):
>>44382560
#
msgodel
◴[
25 Jun 25 22:56 UTC
]
No.
44382560
[source]
▶
>>44382226
#
How does the certificate? If you already have to do the TLS handshake it doesn't change anything.
replies(1):
>>44383605
#
1.
Dylan16807
◴[
26 Jun 25 02:06 UTC
]
No.
44383605
[source]
▶
>>44382560
#
A verified certificate lets you know you didn't handshake with an attacker in the middle.
replies(1):
>>44387620
#
ID:
GO
2.
msgodel
◴[
26 Jun 25 14:11 UTC
]
No.
44387620
[source]
▶
>>44383605 (TP)
#
Let me rephrase that: How is the CA supposed to know they didn't handshake with an attacker? All they have is the IP, there's no identity to check like with DNS.
↑