Let's Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers' domains

Let's Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers' domains

6 years ago
Anonymous $1bh8zaeyQS

https://www.theregister.co.uk/2018/01/13/lets_encrypt_certificate_drama/

Let's Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it's insecure in the context of many shared hosting providers.

TLS-SNI is one of three ways Let's Encrypt's Automatic Certificate Management Environment (ACME) protocol validates requests for TLS certificates, which enable secure connections when browsing the web, along with the confidence-inspiring display of a lock icon. The other two validation methods, HTTP-01 and DNS-01, are not implicated in this issue.