1. 4

    Did anyone notice the domain?

    it is https://https.www.google.com.tedunangst.com/flak/post/strict-structs

    see https://ibb.co/eH9G20

    I know people monitor CT logs using Certstream, I wonder how long before it is taken down.

    1. 14

      Anyone also happily notice there’s no certificate warning now? And simutaneously wonder if the new one getting no warning while other did should inspire more skepticism toward CA model in general?

      1. 4
        1. 5

          Why would it be taken down? I don’t see why you couldn’t have a subdomain called com with a subdomain google with a subdomain www with a subdomain https, unlike the authors of Chrome.

          1. 2

            I don’t see why you couldn’t have a subdomain called com with a subdomain google with a subdomain www with a subdomain https, unlike the authors of Chrome.

            In Firefox, the URL bar renders like this.

            That’s not pointless fanciness. That’s emphasizing the parts of the domain name that “can’t be forged” because the domain registrar is supposed to make sure they’re unique. There are known cases where a phisher uses this exact pattern to fool users who don’t read the entire URL but do check for the expected parts.

            There’s not much point in trying to prevent this within LetsEncrypt, though, since LetsEncrypt gives out wildcard certs anyway.