Collaborate Disseminate
Today I learned of the existence of crt.sh. I typed one of my domain names into the search box to find out what it returns. I found a lot of certificate entries for domains that I don’t recognize, and which appear spammy to me. Many of the… Continue reading crt.sh shows certificates for domains I don’t recognize
The ACME protocol defines the use of a replay nonce to prevent replay attacks.
I understand what replay attacks are and why it’s important to prevent them in certain scenarios. But I can’t think of a scenario where a replay attack would be… Continue reading Possible scenario for replay attack in acme protocol
I bought a domain on Namecheap a few weeks back and now that I want to set it up, I visited my domain on the web and discovered that it had a valid cert issued and was pointing to an unknown site. The cert was issued by Let’s Encrypt on De… Continue reading Can Namecheap get certificates issued for my domain without my knowledge?
I bought a domain on Namecheap a few weeks back and now that I want to set it up, I visited my domain on the web and discovered that it had a valid cert issued and was pointing to an unknown site. The cert was issued by Let’s Encrypt on De… Continue reading Can Namecheap get certificates issued for my domain without my knowledge?
We have a service running behind https and we are using SSL certificates from Let’s Encrypt. The problem is that one of our clients distrusts Let’s Encrypt CA and on certificate renewal it requires to us to send the newly generated certifi… Continue reading Reasons to distrust Let’s Encrypt certificates
Let’s say we have:
Publicly available HTTPS API (e.g. api.example.com). The web server that runs it uses a certificate from a publicly trusted CA (e.g. Let’s Encrypt) with both server auth and client auth usages.
A database using mutual T… Continue reading Is it a good idea to reuse certificate issued by public CA for internal database client authentication?
Let’s Encrypt offers free TLS certificates, including wildcard certificates. Is there ever a reason to pay for a certificate? Is it just "we have to pay for everything so we can sue someone if something breaks" corporate policies… Continue reading Why does anyone not use Let’s Encrypt?
Inspired by this comment from Can DDNS provider perform a MITM attack?, I was wondering if there is an automated way to check the Certificate Transparency logs for malicious/unexpected certificates.
For example, if I run some ACME client o… Continue reading Comparing ACME client logs against Certificate Transparency logs
When generating a certificate what would more secure – generating a self-signed certificate using PGP or using a public CA like Let’s Encrypt? We are using it for signing and encrypting.
What are the advantages and disadvantages?
Continue reading Are self-signed certificates better for local usage?
I’m trying to understand openssl and some cert issues I was trying to track down. These certs were issued from Let’s Encrypt. I will use their site as an example because I see the same behavior there. First, I run openssl (OpenSSL 3.0.1 14… Continue reading Openssl and Let’s Encrypt Cert Chain