Yes, but there's still an increase in the attack surface - it's a lot harder to convince a registrar to turn over gmail.com than <my domain>, for most values of <my domain>. It's not a deal breaker, of course, but it's something to consider when looking at the risk factor.
As I understand it, a CA doesn't have a way of MITMing connections just by virtue of them being the one validating the cert for a certain website. You don't share the private keys of your certs when you generate them[0], you just need for a CA to attest that yes, this certificate's public key is allowed to be used for whatever use you're applying for. ACME doesn't change that, it just allows this verification to be done automatically.
Let's Encrypt doesn't have any more ways of MITMing people using their certs than any other CA - that is, they _could_ do it by generating rogue certs, but that's no different than what Google can already do since they're a CA as well. Plus, certificate transparency logs should make it visible if they ever do so.
0: Barring weird cases I've seen of some companies letting you generate a cert entirely on their website, letting you download the private key once it's done. Which is bad practice for the reason you're talking about right now, since by then you have no assurance that they haven't kept a copy of that private key for later use.
Any CA can sign any certificate they want, including ones they generate themselves. If a bad actor got control of, or even could coerce, a CA, and could do the same for DNS, the end users would be hard pressed to know.
It's a very valid attack, although minimal. To say they don't have any way of MITM'ing a connection is wrong even if it's unlikely.
This is what certificate transparency logs are designed to solve.
Chrome and Safari currently validates that a certificate has been published in the publicly available transparency logs as part of considering it valid.
Either Google doesn't publish the certificate in the logs and it's not valid, or they publish it and people are able to see the misissuance.
It's not foolproof, but it makes the attack even less likely.
> To say they don't have any way of MITM'ing a connection is wrong even if it's unlikely.
I totally agree, it's why I qualified it with "just by virtue of them being the one validating the cert for a certain website" and later on adding that they could do so in other ways, like the one you're suggesting. Reading it again makes me realize that it could be understood that way, though, sorry if I wasn't clear enough. Sometimes not being a native English speaker betrays me a little bit. =)
CAA is for telling competent CAs that you don't want to use their service, so as to avoid them being fooled by bad guys who pretend to be you. If you think their methods are dubious or just won't be effective due to how your names are managed, CAA lets you flag that they shouldn't issue for your names at all.
If a CA is incompetent or malevolent it would just ignore CAA records or not check them at all.
It would be a serious bug if a web browser for example went "Hey this site has a cert from Bob's CA but the CAA records for the domain say only Alice's CA is to issue" and rejected the certificate from Bob's CA. The CAA notice is about allowing new issuances right now but maybe last week when I got this certificate from Bob's CA I didn't set that CAA record so that was fine.
It would be valid (maybe not a brilliant idea, but valid) to set CAA to refuse all issuance, changing it only for a few minutes once a week while you do all your certificate changes.
Oh wow, and here I thought having clients check that record was the whole point, as a layer of defense against rogue CAs. Thank you so much, I hadn't realized. =)
I agree with the similarity but as you're saying there was always the possibility of leaving town. It wasn't a convenient solution, and you might very well repeat the same actions wherever you go, but at least you could get a chance to start over elsewhere. IMO that's quite a bit different than the current situation, where I feel you'd have to go and change your legal name, move to another location and get new accounts online to manage to shake off what is now attached to your real name, and _even then_ the paper trail would probably be found at some point and it would all come back to you.
So small town rules, yes, but practically speaking there's only one town left. Whether it's a good thing or not is a matter of opinion - and depends on the specific context as far as I'm concerned - but overall I feel like something of value has been lost in the transition. It might have been possible to make amends and/or show that whatever you did was a temporary lapse in judgement before, but doing that one the scale of the whole internet audience we have nowadays doesn't feel practical, or even possible really. =/
> The only thing I didn't like about Suica/Pasmo when I was in Japan was that, unlike a credit card, there doesn't seem to be a way to get a statement so you can see where you spent all your money
I use Suikakeibo [0] for that. The latest 20-ish transactions seem to be stored on the card, so by scanning it using my phone every day I could keep a history of everything I used it for. You can even put in notes, since non-transit transaction don't list what you bought with it - just the amount.
> > The only thing I didn't like about Suica/Pasmo when I was in Japan was that, unlike a credit card, there doesn't seem to be a way to get a statement so you can see where you spent all your money
> I use Suikakeibo [0] for that. The latest 20-ish transactions seem to be stored on the card, so by scanning it using my phone every day I could keep a history of everything I used it for. You can even put in notes, since non-transit transaction don't list what you bought with it - just the amount.
> It makes for a nice reminder of my past trips. =)
It's a good point, but I believe DRM isn't just about piracy. It's also about control. I read a good article about this once, but I can't find it anywhere right now so I'll summarize what I remember.
As long as DRM exists, if you want to make a Blu-ray player you have to go and ask the Advanced Access Content System Licensing Administrator for their blessing, so that you can decrypt and play (for example) AACS-protected media. It doesn't really matter that AACS has been broken since early 2007 and that pirates can easily circumvent it - as long as you want to sell a player above-board and not risk potential lawsuits, you still have to go and license it.
(This might not be true for AACS in particular, but AFAIK it is generally true of more recent content protection systems.)
That's when the control part kicks in. Good luck getting that Blu-ray player approved for content decryption if it allows the user to skip commercials, or make small clips of movies and send them to your friends, or other such features. I do believe there would be some amount of demand for those features - well, mostly the first one. However, I don't see the AACS LA ever approving such features while having Disney and Warner Bros as founding members[0].
I'll try to find the original article I got those ideas from. I'll reply again if I ever find it.
That makes a lot of sense actually, I guess my take was a bit naive. I hadn't considered that it wasn't just about preventing piracy, it's about controlling how the content is consumed. Thank you for this insight.
As I recall the idea was to promote looking for a Pixelfed instance with a community that fits your needs and interests, which in turn makes the network stronger by distributing the userbase over a variety of servers.
Keeping registrations open on what is often perceived as an "official" instance can lead to that instance getting most of the new users of the network, since it's usually the one you'll find if you search for the corresponding software. mastodon.social (previously open, now invite only) is a good example of that, IMO. I'm not sure if it's a good or a bad thing, but I do feel it subverts the idea of a federated network if most users are on a handful of known instances.
Why would Mastodon or Pixelfed need users who give up that easily? Those most probably won't be good citizens anyway and they would not post and create content because it's too complicated.
I don't think it makes sense to have non-active members just for faking the numbers if it's non profit anyway.
