Hacker News new | past | comments | ask | show | jobs | submit login

Could actually dodgy sites then imitate bank websites, ask the same of users and then commit a MITM attack?

I'd much rather be able to say -- 'no, never manually trust a cert', instead of 'well, ok, for now yes in this one case if you're sure there's no typos in the URL... What? Yeah, the text at the top in the little bar... argh'.

I hope I'm missing something here, but even better I hope Symantec and banks get their acts together.




Could actually dodgy sites then imitate bank websites, ask the same of users and then commit a MITM attack?

Technically, certificate pinning etc can prevent this, but in practice, yes, this is a possible attack vector.

But it has little to do with CA validation. If the user understands how to verify the domain and security of the connection the attack doesn't work, and if he doesn't, the Google vs Symantec situation makes no difference either.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: