review and implement recommendations for ACME HTTPS setup
Looks like there was a MITM that exploited Let's Encrypt/ACME to get a valid TLS cert. One of the creators of ACME-CAA gave recommendations for hardening:
More info here:
- https://notes.valdikss.org.ru/jabber.ru-mitm/
- https://blog.jmp.chat/b/certwatch
- https://snikket.org/blog/on-the-jabber-ru-mitm/
There is a some very limited time under OTF RRF f-droid.org to spend on this. These seem like clear things we want to do:
-
Set up DNSSEC on f-droid.org -
Monitor Certificate Transparency logs for f-droid.org
Edited by Hans-Christoph Steiner