Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.social/users/tykling/statuses/111415645019779866">Thomas Steen Rasmussen (tykling@mastodon.social)'s status on Thursday, 16-Nov-2023 02:11:41 JST</a><a href="https://mastodon.social/@tykling" title="tykling@mastodon.social"><img src="https://gnusocial.jp/avatar/213246-48-20231115171141.webp" width="48" height="48" alt="Thomas Steen Rasmussen" style="position: absolute; left: 0; top: 0;">Thomas Steen Rasmussen</a></section><article><p>I was investigating an MITM today where the attacker was using a real LetsEncrypt certificate. This was possible because an NS record domain expired and was re-registered by the attacker</p><p>A few weeks ago there was also the jabber.ru MITM issue where a valid LE cert had also been issued.</p><p>Both of these attacks could have been avoided by using CAA account pinning.</p><p>You should add this on all domains today!</p><p>For an example see the CAA record for bornhack.dk <a href="https://caatest.co.uk/bornhack.dk" rel="nofollow noreferrer">https://caatest.co.uk/bornhack.dk</a></p><p>Spread the word!</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2332221#notice-4602933">In conversation</a><time datetime="2023-11-16T02:11:41+09:00" title="Thursday, 16-Nov-2023 02:11:41 JST">about a year ago</time> <span>from <span><a href="https://mastodon.social/@tykling/111415645019779866" rel="external" title="Sent from mastodon.social via ActivityPub">mastodon.social</a></span></span><a href="https://mastodon.social/@tykling/111415645019779866">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: www.jabber.ru</div><h5><a href="https://www.jabber.ru/">Jabber.ru</a></h5><div></div></header><div>Jabber.ru — жаббер сервер, вероятно, крупнейший, старейший и самый надёжный</div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/1833019">Untitled attachment</a></label><br></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/1833020">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Thomas Steen Rasmussen (tykling@mastodon.social)'s status on Thursday, 16-Nov-2023 02:11:41 JST Thomas Steen Rasmussen
I was investigating an MITM today where the attacker was using a real LetsEncrypt certificate. This was possible because an NS record domain expired and was re-registered by the attacker
A few weeks ago there was also the jabber.ru MITM issue where a valid LE cert had also been issued.
Both of these attacks could have been avoided by using CAA account pinning.
You should add this on all domains today!
For an example see the CAA record for bornhack.dk https://caatest.co.uk/bornhack.dk
Spread the word!
In conversationabout a year ago from mastodon.socialpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.jabber.ru
  Jabber.ru
  Jabber.ru — жаббер сервер, вероятно, крупнейший, старейший и самый надёжный
2. Untitled attachment
3. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice