On Thursday, December 14, 2017 at 5:50:40 PM UTC-6, Matthew Hardeman wrote:
> Route hijacking your way to what would appear as a proper domain validation > is practical for even a modestly resourceful adversary. I suspect that the > only reason more spectacular demonstration of certs issuing pursuant to such > hijacks haven't arisen owes to ethical considerations, poor overlap of those > with the network interconnection experience and the CA DV practices > knowledge, and that doing it effectively means doing it in a well documented > way -- ringing a bell you can not unring. So when I wrote the above, I had not yet seen this (just published): https://twitter.com/matthew_d_green/status/941460537724080128 I have lots of ideas on how to help make DV more resilient against this, though they have various costs of complexity, infrastructure, and time. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
