24 Oct
2023
24 Oct
'23
6:35 a.m.
tis 2023-10-24 klockan 02:06 +0000 skrev Andy Smith via BitFolk Users:
...
...
Meanwhile, the procedure to MitM network traffic through their own
hardware on Hetzner and Linode is probably very well documented and
tested, so maybe could be done straight away, and it was perhaps
considered expedient to just risk the new certs being noticed.
DNSSEC+CAA start to seem like very good ideas.
On the topic of CAA records, assuming that one is using a CA that
supports the RFC 8657 extension one might also want to specify
accounturl and/or validationmethods.
In this scenario to protect/mitigate against someone using their local
MITM capabilities to intercept ACME HTTP-01 challenges.
* Supported by Let's Encrypt:
https://community.letsencrypt.org/t/enabling-acme-caa-account-and-method-bi…
* All the fun details: https://www.rfc-editor.org/rfc/rfc8657
Can look something like this.
$ dig +short arrakis.se CAA
0 issue "letsencrypt.org;
accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/902027977;
validationmethods=dns-01"
$
// Andreas