Re: A Deep Dive on the Recent Widespread DNS Hijacking

[Bill Woodcock <woody () pch net>]

> On Feb 26, 2019, at 1:34 PM, James Renken via NANOG <nanog () nanog org> wrote:
>
> On Feb 25, 2019, at 5:20 AM, Bill Woodcock <woody () pch net> wrote:
> > We know that neither Comodo nor Let's Encrypt were DNSSEC validating before issuing certs.
>
> I’d like to clarify that Let’s Encrypt has always validated DNSSEC, dating to before we issued our first publicly 
> trusted certificate in September 2015.

Yes, my apologies…  Comodo may well have been used in the attack against us _because_ Let’s Encrypt was DNSSEC 
validating.  I’m sorry for tarring both Let’s Encrypt and Comodo with the same brush.

The fact remains, however, that both Let’s Encrypt and Comodo are facilitating these hijacks by issuing illegitimate 
certificates to attackers.  So, ipso facto, both organizations’ security practices are insufficient.

We had what I thought to be a productive call with Jacob Hoffman-Andrews, of Let’s Encrypt, late last week, and arrived 
at a couple of possibilities for improving the situation a bit, but I don’t imagine that PCH has the expertise to 
contribute substantively to CA business process improvements, as that’s well outside our field.

                                -Bill

Attachment: signature.asc
Description: Message signed with OpenPGP