As seen in the BND's attack on jabber.ru, some adversaries have no difficulty taking over your IP address. Will this be a new threat vector?
CaliforniaKarl1 day ago
If an attacker manages to gain ownership of an IP address, and gets a Let's Encrypt certificate for that IP address, the certificate will show up in Certificate Transparency logs. In that way, if people are watching, the attack will become visible fairly quickly.
nubinetwork1 day ago
When will they let me generate certificates for IMAP and SMTP?
neoCrimeLabs1 day ago
They never stopped supporting it, to my knowledge. I first started using their certs for my IMAP and SMTP servers 10ish years ago, at least.
If you use HTTP-01 challenge method you require an HTTP server on the host.
If you don't want an HTTP server on your imap/smtp server you need to use the DNS-01 challenge method.
nubinetwork1 day ago
And what if I want to run DNS and http on separate servers than my mail server?
neoCrimeLabs1 day ago
The same thing everyone else does. Build automation, use configuration management, use cert manager or other similar solutions.
neoCrimeLabs10 hours ago
Update: Had less time to post than I realized, hence the terse reply.
Meant to say those solutions are in addition to Lets Encrypt. An X509 certificate is an X509 certificate, regardless if its for https, imaps, or smtps. If you're distributing your stuff across multiple hosts or containers, then it makes sense to use some sort of automation, configuration management, or certificate management/distribution system.
apitman1 day ago
Nice. I've been using lego for this the past few weeks.
greatgib1 day ago
They should at least restricted it to IPv6. Here it will be a kill for everyone using mobile network and 5g hotspots.
(29 points) https://news.ycombinator.com/item?id=47343278
Related 6-Day and IP Address Certificates Are Generally Available (506 points, 2 months ago, 281 comments) https://news.ycombinator.com/item?id=46647491
As seen in the BND's attack on jabber.ru, some adversaries have no difficulty taking over your IP address. Will this be a new threat vector?
If an attacker manages to gain ownership of an IP address, and gets a Let's Encrypt certificate for that IP address, the certificate will show up in Certificate Transparency logs. In that way, if people are watching, the attack will become visible fairly quickly.
When will they let me generate certificates for IMAP and SMTP?
They never stopped supporting it, to my knowledge. I first started using their certs for my IMAP and SMTP servers 10ish years ago, at least.
If you use HTTP-01 challenge method you require an HTTP server on the host.
If you don't want an HTTP server on your imap/smtp server you need to use the DNS-01 challenge method.
And what if I want to run DNS and http on separate servers than my mail server?
The same thing everyone else does. Build automation, use configuration management, use cert manager or other similar solutions.
Update: Had less time to post than I realized, hence the terse reply.
Meant to say those solutions are in addition to Lets Encrypt. An X509 certificate is an X509 certificate, regardless if its for https, imaps, or smtps. If you're distributing your stuff across multiple hosts or containers, then it makes sense to use some sort of automation, configuration management, or certificate management/distribution system.
Nice. I've been using lego for this the past few weeks.
They should at least restricted it to IPv6. Here it will be a kill for everyone using mobile network and 5g hotspots.