I read that they were able to redirect the traffic to their own machine, and therefore perform an http-01 challenge like anyone else.
Le dim. 22 oct. 2023 à 18:55, Alessandro Vesely via mailop < [email protected]> a écrit : > On Sun 22/Oct/2023 13:18:53 +0200 Hans-Martin Mosner via mailop wrote: > > Am 22.10.23 um 12:23 schrieb Paul Menzel via mailop: > >> It was interesting and surprising to me, as the common perception is, > that > >> SSL certificates protect against MiTM attacks as it should provide > authenticity. > > > > The weak point of SSL certificates is that clients are willing to accept > new > > certs for the same domain as long as their signature path is correct > (ending at > > one of the trusted root CAs). State-level agents may have ways of > obtaining a > > certificate for a third party from a trusted authority, as long as they > > convince the authority that their interception request is lawful. > > > That would be a show stopper for Let's Encrypt and EFF, methinks. > > The Summary and finale section starts with the paragraph: > > The attacker managed to issue multiple SSL/TLS certificates via Let’s > Encrypt for jabber.ru and xmpp.ru domains since 18 Apr 2023 > > However, they don't hypothesize on how that was possible. Is that due to > anonymous ciphers being enabled? How? The whole point of a certification > authorities is that third parties /cannot/ manage to issue copies of > whatever > certificate at will. > > > Best > Ale > -- > > > > > > > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
