There are red flags you can look for, but you need to confirm with the domain owner to be sure. CAA records can tell you what CAs are supposed to issue a certificate. Many companies always use the same CA, so a change to a different one could be suspect.
For the wiretapping scenario, domain verified certificates do not protect against that scenario. If the wiretap has full control of your server's network, then it can issue a certificate of its own. No need to compromise a CA.
> the wiretap has full control of your server's network, then it can issue a certificate of its own. No need to compromise a CA.
Setting the issuance method to something actually secure – unlike http-01 – with CAA or even just pinning your LE account does prevent this. It's just that almost no one does that.
The whole model of certificate issuance relying on http challenges is pretty baffling insecure. We do it this way for adoption, http challenges are easy. Flawed https protecting against most attacks is better than plain http. But still. The whole PKI system is a crude, crippled historically grown mess.
Is there a detection component here too? Sandboxing development is great, but the next step is to deploy to production. How do you know if something malicious happened in the sandbox, such that you don't deploy the malware further?
I'm not disagreeing that people invest this way, but I'd like to point out that past performance does not imply future performance, and that investors should consider factors other than just past returns.
With US techs harvesting people's data, subscription mess, cars that are no longer cars but computers on wheel, and now AI, even folks with bare minimal knowledge are self hosting things.
All you need is a second hand dirty cheap Dell SFF computer from eBay, install Proxmox on it and even if it comes with only 8GB, you can still spin up a few Proxmox LXC containers (small like Docker but far better).
People are going back to buying physical media, old model of things, wired headphones is all time high.
MP3 players are all time high, no phone, no subscription, just music.
90s, early 2000s is so back and is a good thing, people themselves are putting a hard break on technology.
Anyone know the best practices for keeping AI crawlers off your RSS feeds? I know robots.txt works for the well-behaved bots. Other tools like interstitial captchas don't as the feed readers break if you send them anything but XML.
Putting just the post intro in the feed and linking to the website feels like a safer approach, assume you have bot protections on the website, but that's a poor experience for people who want to read in their feed reader.
I have some aggressive filters in Caddy that block the worst offenders by CIDR range, and also filter by user agent to remove any honest facebook and amazon bots. Otherwise, maybe strong rate limits by IP?
Edit:
Longer term, the approach might be - provide a separate RSS feed with full content but gated by a query parameter, then only give that URL to known-good consumers via email verification or patreon subscription, etc.
It would suck that people would have to pay more to consume content in their preferred way, but depending on your needs it might be a reasonable compromise.
These approaches are obviously great if your goal is to force marketing down people's throats, but it kills the integrity of the platform.
I don't get why people would continue using Google search (other than familiarity/momentum). As a site owner I'm questioning whether I even want to be indexed by Google.
What does your site do? If you're simply putting out information, I can catch your logic, but if you're trying to sell something, there's a good chance your audience is on Google.
If someone enters a username that doesn't exist in the system then you randomly prompt for password or alternate method, so it looks like an account may exist.
Username enumeration isn't usually considered a vulnerability, but it does make other attacks, like credential stuffing, easier. I.E. you can focus attack resources on usernames that have active accounts.
It's very low on my list of concerns though, usually there's much worse problems when I pentest.
One suggestion for anyone concerned about this weakness. You can use the CAA record to pin the domain to a specific certificate authority, issuance method, and account. This is imperfect, as CAA record validation (edit: of CAA extensions) is not mandatory yet. But by March 2027 all the CAs a supposed to have support.
Sprinkle some DNSSEC on the CAA record too, if you'd like.
Just be careful, if you host your DNS at Cloudflare (maybe others?), they will rewrite your CAA record[0] if you use TLS with them. This is in the name of convenience but it was surprising when I first learned.
CAA checking is mandatory, so you can always restrict to a given CA.
To get complete control with DNSSEC, you also need the accounturi and validationmethod extensions (which you need to guarantee only your account can issue, and only with the DNS validation type).
Those aren't yet mandatory, but you can restrict to a CA today which implements them, like Let's Encrypt.
Even without DNSSEC, the CAA record approach can help, as it requires MITMing between the CA and the DNS server, which may be harder in some cases than just MITMing a target site.
If your DNS isn't working, you're not going to be making connections anyway. And if you can't keep DNSSEC running, you can't keep certs up to date either. DNSSEC is actually much simpler, with fewer failure points, once you set it up.
> It is high volume (=it need be cacheable).
It is. Unlike certificates. And the cache lifetimes are much shorter than typical certificate lifetimes.
It is self-evidently not correct that companies that can't keep DNSSEC running can't keep certs running. Entire TLDs have fallen off the Internet because DNSSEC has broken. A certificate never took Slack down for half a day. It's just obviously not true.
It's amazing what practice and investment can do, even for a fragile system like X.509. Yet certs still break constantly. Like permanently killing people's "perpetual" Microsoft Word licenses in a story posted within hours of this one.
Yes.. exactly.. you can't issue a 15y TLS (not SSL) cert today.. not in a usable way. If cloudflare stops proxying you, your cert is worth nothing (accepted by no one).
You can create your own without the use of cloudflare.. you can set it to a 100y expiry if you feel like it.
There are red flags you can look for, but you need to confirm with the domain owner to be sure. CAA records can tell you what CAs are supposed to issue a certificate. Many companies always use the same CA, so a change to a different one could be suspect.
For the wiretapping scenario, domain verified certificates do not protect against that scenario. If the wiretap has full control of your server's network, then it can issue a certificate of its own. No need to compromise a CA.
reply