On 26.06.2023 21:51, Jim Henderson wrote:
On Sun, 25 Jun 2023 20:19:52 -0700, Lew Wolfgang wrote:
The issue is of validation of control of the domain. A hacker could take over opensuse.org, then take out a Let's Encrypt cert and distribute malware over the secure channel.
They wouldn't need to take out a new LE cert to distribute malware over the secure channel; they would already *have* a certificate, regardless of where the certificate comes from.
"Take over opensuse.org" is ambiguous. It may mean "systems servicing opensuse.org are compromised"; but it may also mean "domain name opensuse.org is redirected to another server(s)". In the latter case servers that receive requests for opensuse.org would need valid certificate for this domain trusted by client. And in this case such hijacked domain would actually pass LE checks (at least, checks that are described in there documentation).