Let’s Encrypt, an automated certificate authority backed by Chrome and Mozilla, has today announced a measure it's implementing in order to further protect from network attackers. The new feature is called multi-perspective domain validation and helps certificate authorities (CA) to certify that an applicant actually controls the domain they want to get a certificate for.
Domain validation isn’t new but a potential issue in the process means that a network attacker can trick a CA into incorrectly issuing a certificate. With multi-perspective domain validation, network attackers will need to successfully compromise three different network paths at the same time; not only will this be more difficult to achieve but the Internet topology community will have a higher chance of noticing the attack.
The organisation thanked several researchers from Princeton University for their help on multi-perspective domain validation and said that it will continue to work with the researchers to refine the effectiveness of the design and the implementation.
Several years ago when Let’s Encrypt launched, it helped a lot in propagating HTTPS which gave users a secure connection to websites. With multi-perspective domain validation, casual web surfers stand to benefit again without having to do anything as these improvements are made behind the scenes.