It's not FUD when you have a list of incidents (https://community.letsencrypt.or... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		0xbadcafebee on Jan 29, 2019 \| parent \| context \| favorite \| on: I exploited TLS-SNI-01 issuing Let's Encrypt SSL-c... It's not FUD when you have a list of incidents (https://community.letsencrypt.org/c/incidents) and it's not FUD just because I don't have 0days sitting around. If this is just the incidents from one CA, and assuming this is an example of best effort, there would naturally be many more, and possibly worse, exploits gone unnoticed on the hundreds of other CAs.

schoen on Jan 29, 2019 [–]

Only three of those incidents were described by LE as resulting in misissuance under its CPS:

https://community.letsencrypt.org/t/blocklist-incident-novem... https://community.letsencrypt.org/t/2018-05-18-caa-tag-value... https://community.letsencrypt.org/t/caa-check-incident-decem...

Of these, I believe that none were issued to entities that didn't actually control or operate the sites described by the certificates.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact