[Ach] bettercrypto.org certificate has expired today

L. Aaron Kaplan kaplan at cert.at
Wed Mar 8 22:18:55 CET 2017

> On 08 Mar 2017, at 14:00, Jeroen Massar <jeroen at massar.ch> wrote:
> On 2017-02-25 10:31, Peter J. Holzer wrote:
> [..]
>> So it's a good idea to either restart the server immediately
>> after obtaining a new certificate or have some other cron job which
>> restarts the server regularly.
> Do only do that after doing a 'nginx configtest' or similar, otherwise
> you end up with a broken system....
> Indeed, the moving parts of Lets Encrypt are not so much fun. What if,
> LE goes down for a few days because somebody DDoSses them to nowhere...
> lots of unhappy websites there will be.

On a related note: Otmar of CERT.at did a recent re-evaluation of the distribution of CAs for
all certificates on a ".at" domain (web server or mail server).
And Lets' encrypt was I believe number 3 already!

So, yes, this is a nice SPoF / single point of attack.


// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20170308/0922d749/attachment.sig>

More information about the Ach mailing list