[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
|
|
Subscribe / Log in / New account

Use a keypair, but skip the web of trust

Use a keypair, but skip the web of trust

Posted Oct 22, 2024 20:10 UTC (Tue) by DimeCadmium (subscriber, #157243)
In reply to: Use a keypair, but skip the web of trust by LtWorf
Parent article: Python PGP proposal poses packaging puzzles

> Also the check is done via HTTP, so if you can do a MITM between the domain and letsencrypt itself you can get them to sign something else :)

Sure... if you can get a MITM between the domain and *every single one of LetsEncrypt's perspectives* https://letsencrypt.org/2020/02/19/multi-perspective-vali...

to post comments

Use a keypair, but skip the web of trust

Posted Oct 23, 2024 6:19 UTC (Wed) by pabs (subscriber, #43278) [Link] (1 responses)

That was already done by Hetzner to one of their customers:

https://notes.valdikss.org.ru/jabber.ru-mitm/

For a global active adversary it is probably trivial to attack you even if you had a diverse set of hosting providers.

Use a keypair, but skip the web of trust

Posted Oct 29, 2024 9:13 UTC (Tue) by taladar (subscriber, #68407) [Link]

Just because it is trivial for the hosting provider who owns and routes your literal IP address that doesn't mean that it is trivial to do for anyone else.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds