On Sun, Jan 03, 2021 at 11:16:00AM +0000, Stuart Henderson wrote: > What are you thinking would be stolen? The certificates themselves > are public knowledge anyway - they are sent in full whenever someone > connects to your TLS-based service and are available from Certificate > Transparency log servers (https://crt.sh etc) - but they are useless > without the private key.
That's exactly what concerns me. I rent servers. Physical access always breaks security if someone really wants to. If it wasn't so insane in the Big Tech companies right now, I would only place my paranoia with some bad guy in the server room. But I have two sites that just have copies of the US and Texas Declarations of Independence, The US Constitution, Hammarabi's legal code and just stuff like that. Nothing with any opinions. I also walk past small shops permanently out of business every day, so I find it tough not to be a little paranoid. I do keep all my sites with DNSSEC. Except this one. As I tried to move it, I found all kinds of restrictions on sites with endings like .us IMO, really stupid, but oh well. Going to try to move it again next couple of days. I really don't maintain bennettconstruction.us, it's just sentimental value for me and what was. Chris > > > Especially since DNS servers can take up to 48 hours to propagate changes > > So getting rid of www.domain.xxx might not show up quickly enough. > > And if I change IP addresses and they don't get propagated soon enough, > > wouldn't someone be able to briefly spoof my site? > > letsencrypt (and I think probably all CAs) do uncached lookups from the > authoritative servers for the domain, following the chain from the root > servers, the usual problem with DNS servers returning outdated records > is with bad recursive servers. > > If you have problems getting the authoritative servers giving out current > information then that needs fixing, and isn't really a problem specific > to CA validation. >
