In theory Multi-VA [letsencrypt.org] should still prevent getting a TLS certificate

Yeah, that's why I only said plausibly, rather than possibly, as it'd take that 1:20 shot to make it happen. But plausibly may be overstating it a bit, still.

Any certificates from LE would also appear in the certificate transparency log that currently only has EnTrust and DigiCert certificates. A few hundred pages' worth of certificates.

Given everything we've learned here, do you think they're actually monitoring CT logs? Or hiring a brand reputation service to do it for them? I would bet a lot of money on the answer to that question being no. As you said, asleep at the switch :)

Hah - as soon as we can get people to understand that LLMs aren't actual intelligence, the better off we'll be. OpenAI has done some wonderful work and marketing with ChatGPT to make people believe otherwise, though. Once they understand what LLMs are (both their real value and their limitations), people can start actually leveraging them in their lives instead of thinking the models can answer all of the open questions of the universe.

I could be wrong, but a quick google search seems to imply that whitehouse.gov hasn't hosted mail services since the Obama administration. If you have anything that shows it has, I'd love to see it.

Note: I'm largely basing this on the fact that the comments@whitehouse.gov email address stopped being referenced after the W administration's website. I also found some old reports on dnsspy and such from years ago (including during the previous administration) that had no mx records at all.

The abstract for that RFC makes it clear it's optional:

organizations which support email exchanges with the Internet are encouraged to support AT LEAST each mailbox name for which the associated function exists within the organization.

Emphasis mine.

I have more faith we'll be on Mars in the near future than AI taking over human jobs. That said, I think some flavor of AI will be critical to the Mars mission - at least in a "here, bold-faced checklist items for you while we wait for signal delay to get us a message from Earth" kind of way. As it is today, these technologies are great enabler and force multipliers, but they're not human-replacements.

Reputational risk isn't the same everywhere. It's a much bigger deal for B2B, for example. But people absolutely care - Take a look at the flood of people that left LastPass after their large breach. It's harder for people to walk away from the big banks or retailers, so their impact is significantly reduced. But in any case, it's not just a myth. It just has to be taken in context.

DNSSEC and TLS would absolutely help mitigate this. Problem is, there's no DNSSEC for mastercard.com according to the records I just pulled. Now, without DNSSEC, you could plausibly get a Lets Encrypt certificate with a dns-01 challenge, so it's still vulnerable.

I don't see that particular experimental feature, and I'm a premium subscriber (and music user). I see plenty of others, though. Anybody else?

Of course he does. His income depends on it, so he's going to sell it as if it's the next sliced bread, here to solve all your problems. Is he entirely wrong? Probably not. Probably just (very) optimistic on scope, scale, timing, and value.

Yeah, but have you ever tried to articulate reputational risk to leaders? They either don't comprehend it -- or even if you quantify it, they don't believe the outputs.

I'm not surprised that a company of that size had such an issue lurking -- but how many eyes have probably looked at that DNS record over the years and looked right past that typo? Something should have eventually seen it, even if it was just DNS propagation monitoring. But the claim that it created no risk? Absolute hogwash. Without trying, a threat actor could have gotten a fifth of the traffic headed to destinations that used that same NS record content... which looks like it included their own API gateways!

If anything, the only issue is that nobody else seems to want to play in the glass space here, or isn't providing a competitive product. I'm not sure what they could do other than force Corning to spin off a division and compete against themselves... but that'd be counterproductive.

Your head will never be as random or secure as an actual RNG doing its thing on your behalf. And it's entirely possible to reasonably secure passwords in a password manager.

Bitwarden is the answer to most of these problems... cross-platform/cross-everything, FOSS, audited, cheap/free.