SSL certs aren’t for trusting the owner or the URL. They are just for trusting the certificate. DNSsec is for trusting the DNS record.
The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest.
Submitted 22 hours ago by cm0002@lemmy.world to cybersecurity@infosec.pub
tal@lemmy.today 22 hours ago
considers
Hmm. Maybe the certificate validation process should be changed to require that two CAs sign off on the root of a chain, to eliminate a single point of failure. Or maybe software should require that just for certain security-sensitive identities, and there be a decision to designate certain TLDs or IP ranges or whatever as requiring an additional root. That obviously doesn’t magically resolve all potential certificate issues, but it does mean that a single error can’t create the potential to open the floodgates like this.
frongt@lemmy.zip 21 hours ago
Nah. A CA that issues fraudulent certificates will have its signing certs revoked by the root CA.
But that requires actual fraud. This sounds like someone used 1.1.1.1 for testing, when they should have used 192.0.2.0/24 or something. That subnet is specifically reserved.