Let's Encrypt has turned on stricter validation requirements

Let's Encrypt has turned on stricter validation requirements
DRANK

The problem with tls-sni-01 is that it assumed nobody would be crazy enough to let you configure their HTTP-only web server to answer HTTPS requests for their names. So logically if a server answers HTTPS requests for a name, on an IP address that DNS says is the right address for that name, that must be the right server, no?But it turns out cheap bulk hosting sites, especially using Apache HTTPD often did this because it worked fine by default.The symptom for ordinary users would be you try to visit and it gives a certificate error saying the site has a certificate only for aaa-microwave-repairs.example do you want to continue? If you say "Yes" you get an error page. Eventually you remember it was no need for the 's' and that works. Weird but ultimately harmless.What has happened is the Microwave repairs people paid for working HTTPS, with a valid certificate for their name, the Cat Video people didn't bother. But both set the bulk hosting site as the correct IP address for their s…

news.ycombinator.com 4 years ago

Open page

https://news.ycombinator.com/item?id=22366875