* The integrity of registrar accounts that are the root of trust for most DNS zones (this was, last I checked, the overwhelming source of DNS corruption attacks),
* The security of one or more DNS lookups, depending (some CAs, like LetsEncrypt, do multi-perspective lookups), and
* The WebPKI Certificate Transparency system, which tracks the issuance of all certificates that Chrome and Mozilla will accept in a public ledger.
you can get certificates for an IP, but they're rare. How it generally works is the DNS server says Google.com is at w.x.y.z IP address, your browser talks to that, it gives you a certificate, (skipping a few cryptography steps for simplicity,) you computer checks the certificate coming from Google.com as being valid, without checking w.x.y.z, and then encrypts your connection and shows the green lock icon.
If the DNS server is bad, it'll return e.v.i.l as the IP, your browser will talk to that, but it can't give a certificate that your computer thinks is valid. so your protected from accidentally logging in to a fake bank website, but also you can't access the correct bank website, so there's still a denial of service problem.
The certificate authority (CA) that gives out the certificates has to verify you own the domain that you're asking for the certificate for. One method is to look up the IP, but as that's problematic if they get the wrong IP, they usually check that from multiple places all over the world.
tptacek|1 year ago
* The integrity of registrar accounts that are the root of trust for most DNS zones (this was, last I checked, the overwhelming source of DNS corruption attacks),
* The security of one or more DNS lookups, depending (some CAs, like LetsEncrypt, do multi-perspective lookups), and
* The WebPKI Certificate Transparency system, which tracks the issuance of all certificates that Chrome and Mozilla will accept in a public ledger.
dadrian|1 year ago
https://cabforum.org/working-groups/server/baseline-requirem...
fragmede|1 year ago
If the DNS server is bad, it'll return e.v.i.l as the IP, your browser will talk to that, but it can't give a certificate that your computer thinks is valid. so your protected from accidentally logging in to a fake bank website, but also you can't access the correct bank website, so there's still a denial of service problem.
The certificate authority (CA) that gives out the certificates has to verify you own the domain that you're asking for the certificate for. One method is to look up the IP, but as that's problematic if they get the wrong IP, they usually check that from multiple places all over the world.