from Hacker News

Duplicate Signature Key Selection Attack in Let's Encrypt

by kkl on 12/12/15, 4:10 PM with 4 comments

• by niksmac on 12/13/15, 2:13 AM

  Fortunately, it was mitigated before Let's Encrypt was publicly trusted.. http://www.ietf.org/mail-archive/web/acme/current/msg00611.h...

• by jmhodges on 12/13/15, 7:37 AM

  To be clear, the challenge types in question where removed from Let's Encrypt production config during the private beta period (when we had a strict whitelist of domains allowed to be issued for), had mitigations for them in while they were out, and we deleted the code for them entirely the other day (in https://github.com/letsencrypt/boulder/pull/1247 )

• by mynewtb on 12/13/15, 6:30 AM

  Wait, what good is a signature then if you can craft it? I may have misunderstood, would appreciate a dumbed down answer.