Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Perfectly pulling off an actual MitM attack and then forgetting to renew the certificate is certainly a very German thing :-)


I wonder if someone didn't "forget" on purpose, so that people learn about it.

Or, someone very diligently followed the orders - there was an order to set up a cert, but there was no requirement that it has to auto-renew :)


It was claimed to have been running for 6 months so it must have renewed certs at least once - LE certs are good for 90 days.


> 6 months [...] 90 days.

So they were told to renew the certificate, but not how many times to renew it?


They were told to renew the original certificate, but weren't told to also renew the renewed one.


Shouldn't the certificate transparency logs have it?


I suspect it's not trivial to distinguish between the legit and fake ones just based on CT logs. Unless Let's Encrypt publicly logs the account used to issue the certificate (I think they don't), only the logs held at Let's Encrypt will reveal this information. I expect their security team to be looking at those logs right now.


Why? Purely out of curios ity? Domain validation was successfully performed which enabled a certificate(s) to be issued.


A certificate was issued to someone who isn't the domain owner. Just because the CA can't be blamed because the requester was able to spoof domain validation in a way that the CA can't be expected to detect doesn't mean that a good CA isn't interested in what happened and whether it can somehow be prevented in the future.

One obvious possibility could be e.g. sending a notification to the previous ACME account: "hey, a new ACME account request a certificate for your domain".


Any sanely designed covert transparent proxy software will automatically stop proxying when the certificate expires.

I wonder why this didn't.


No, the German thing would have been to have the printout of the telefaxed scan of the court order collecting dust because the scanner in the receiving department is broken...


How is that possible while Letsencrypt keeps on sending reminder emails?


You expect German institutions to accept electronic mail?


Being Germany, perhaps the paperwork expired and the new court order didn't arrive in time.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: