alt Hacker NewsI think RPKI is good enough. As we have TLS on top it doesn't need to be perfect.
Replies
maltalex • today at 6:35 PM
Only with certificate pinning or something similar. Otherwise, the attacker can get valid TLS certificates for any domain hosted on the hijacked IP addresses.
zymhan • today at 8:16 PM
Those two things address orthogonal issues
For LetsEncrypt, routing is authentication: if packets routed to the IP in the A record end up at your place, you can get a cert for that domain.