I can think of cases where an attacker can do one or not the other (in particula... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		wkat4242 on Jan 3, 2025 \| parent \| context \| favorite \| on: Let's Encrypt to end OCSP support in 2025 I can think of cases where an attacker can do one or not the other (in particular where they're intercepting traffic near the web server end, not the client). In those cases there is a benefit. Because the CA is not hosted by the server itself, the routing path is very different and only converges near the end user. I know it's less likely but to say that there is no security at all is not true in my opinion.

ameliaquining on Jan 3, 2025 [–]

If the attacker is between the server and the rest of the internet, they can pass a CA validation challenge and get a new certificate that way.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact