Hacker News new | past | comments | ask | show | jobs | submit login

EV certs required that. DV certs never provided that sort of security.



Of course they did. When you paid with your card they knew your identity. Unless you were carding which is a pretty serious crime.


> When you paid with your card they knew your identity.

Who's the "they" in that sentence? As it stands, a certificate reseller knows that the Paypal account "some.name.here@gmail.com" paid for a SSL certificate for "www.unrelatedcompany.TLD"

The certificate itself tells you nothing about who paid for it - it doesn't even tell you which email account was used to confirm some level of association with the unrelatedcompany.TLD domain.


Then PayPal has the data and LE can follow the trail. Because it's about LE being able to tell who actually bought the certificate, telling me end users can't do that is kinda moving the goalposts.


There are certificate authorities all over the world, and many of them not in jurisdictions that would share data with your law enforcement.


Q1: What kinds of serious crimes involve law inforcement needing to chase up who's behind the purchase of a SSL certificate, anyway?

Q2: Can't the bad guys just buy a pre-paid debit card with cash if they're that desperate to cover their tracks?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: