So this video explains how https works. What I don’t get is what if a hacker in the middle pretended to be the server and provided me with the box and the public key. wouldn’t he be able to decrypt the message with his private key? I’m not a tech expert, but just curious and trying to learn.

  • lemmyvore
    link
    fedilink
    English
    33
    edit-2
    6 months ago

    I urge everybody to read up on CAA records in DNS and add them to your domains. They basically say what CA the certs for that domain are supposed to come from. Even if another CA issues valid certs for the domain they would be rejected if they don’t match the CAA în DNS. It takes 5 minutes.

    You can specify the valid CA in the form of its representative domain, for example to allow Let’s Encrypt you’d add 0 issue "letsencrypt.org". If you want to allow multiple CA you add multiple CAA records. They enter into effect if at least one CAA record is present. You can also restrict the challenge type, for example 0 issue "letsencrypt.org;validationmethods=dns-01".

    Please note that this is worth adding a CAA record even if you don’t use your domain for HTTP and you don’t issue any certs for it, because a rogue CA can do it for you. You can add a blank CAA record (0 issue ";") which basically forbids any CA.

    (And yes, this also applies to email. It’s worth adding restrictive records even if you don’t use your domain for email.)