this post was submitted on 21 May 2024
97 points (92.9% liked)

Technology

59429 readers
2885 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

So this video explains how https works. What I don't get is what if a hacker in the middle pretended to be the server and provided me with the box and the public key. wouldn't he be able to decrypt the message with his private key? I'm not a tech expert, but just curious and trying to learn.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 33 points 6 months ago* (last edited 6 months ago) (1 children)

I urge everybody to read up on CAA records in DNS and add them to your domains. They basically say what CA the certs for that domain are supposed to come from. Even if another CA issues valid certs for the domain they would be rejected if they don't match the CAA în DNS. It takes 5 minutes.

You can specify the valid CA in the form of its representative domain, for example to allow Let's Encrypt you'd add 0 issue "letsencrypt.org". If you want to allow multiple CA you add multiple CAA records. They enter into effect if at least one CAA record is present. You can also restrict the challenge type, for example 0 issue "letsencrypt.org;validationmethods=dns-01".

Please note that this is worth adding a CAA record even if you don't use your domain for HTTP and you don't issue any certs for it, because a rogue CA can do it for you. You can add a blank CAA record (0 issue ";") which basically forbids any CA.

(And yes, this also applies to email. It's worth adding restrictive records even if you don't use your domain for email.)