schoen 2 days ago

Yep, they started in 2020: https://letsencrypt.org/2020/02/19/multi-perspective-validat...

This has been challenging for some subscribers who are unaccustomed to receiving any legitimate site traffic from foreign countries.

https://community.letsencrypt.org/t/multi-perspective-valida...

Now that it's a requirement for the whole web PKI, it will be interesting to see the pressure against blanket geoblocking increase. (Or maybe more web hosts will make it easier to use DNS challenge methods to get certificates.)

Reply View 3 replies
  • ocdtrekkie a day ago

    Geoblocking is one of the most drastically effective ways someone can reduce their attack surface. I'd give up encrypting traffic entirely before I'd give up geoblocking.

    Reply View 2 replies
    • tptacek a day ago

      You don't have to give up geoblocking, right? You only need enough "unblocked" surface to resolve domain ownership challenges.

      Reply View 1 reply
      • ocdtrekkie a day ago

        Sure, and I think generally speaking this is also not a hard problem: A CA can advertise the networks it expects to be able to validate your control from, and you can also choose to selectively allow access for domain validation purposes to those networks. The modern firewall is quite discriminatory.

        I just find a constant frustration that geoblocking is often discussed as "bad" when... if you aren't running a global service, is an incredibly powerful tool. Even among global services, the hesitation to intelligently use risk-based authentication strategies remains deeply frustrating... there's no reason an account which has never been accessed outside the United States should be permitted to suddenly log in from Nigeria. Credit card companies figured this stuff out decades ago.

        Reply View 0 replies