Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Let me rephrase that: How is the CA supposed to know they didn't handshake with an attacker? All they have is the IP, there's no identity to check like with DNS.


The CA connects to the IP from multiple different points across the internet. If you can convince all of them, you almost certainly do control the IP.

You as a normal client don't do that. Your computer can be fooled by very easy local spoofs.

And for what it's worth, taking over the IP would also let you get a DNS-based certificate, so those actually have more weak points.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: