Author: Robert McKay 2013-12-08 22:27:17
Published on: 2013-12-08T22:27:17+00:00
In a discussion on how to verify domain ownership, Gregory Maxwell and Drak discussed the use of email as a simple verification method. However, Maxwell pointed out that some Certificate Authorities (CAs), like Godaddy, only require a HTTP fetch for verification with no email involved. He also noted that stealing emails is easy through BGP or DNS redirect, and taking over a domain is possible by forging a driving license via fax and controlling the registry. With registry control, getting an SSL cert is simple, even an 'extended validation' one. This was exemplified by Afghanistan's .af TLD transfer using a forged fax to ICANN.
Updated on: 2023-06-07T21:58:53.205826+00:00