> That's kind of the thing that certificate validation is supposed to solve, an ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Avamander 49 days ago \| parent \| context \| favorite \| on: Let's Not Encrypt (2019) > That's kind of the thing that certificate validation is supposed to solve, an attacker posing as you [...] No, not really. Certificates get issued to hostnames and less frequently, IP addresses. If someone has full control over that resource then what's the actual difference between "you" and "attacker"? Should they run a malware scan too that your server is not compromised? It's not a thing a CA can solve if you've completely lost control of your infrastructure.

1718627440 48 days ago [–]

OK, I misunderstood you. I interpreted:

> if someone can become the thing you're trying to validate

as someone able to impersonate you, not someone actually owning your server. For the latter you're right.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact