Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>HTTPS + HSTS would prevent the author from spoofing the DNS of that those sites and sending them to a server over HTTP thus avoiding the certificate errors.

I'm confused, how would that help? Could the attacker (the author, in this case) not get a valid https certificate for these domains, returning spoofed DNS responses when the CA goes to validate it?



Depends, but for DV certificates, most likely. Certificate Transparency could/would help alert the original site if that was the case.


yes, but HTTPS + HSTS would not enforce a certain validation level, eg you can't enforce EV certs only in HSTS (as far as I know), so a DV cert would be sufficient


the attacker MITM TLS has to present a certificate for the spoofed domain that was signed by a Certificate Authority the victim's browser trusts


Very easy to do. You can even automate it with Let's Encrypt since you can serve whatever DNS records you want.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: