Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This also breaks security keys.



What do you mean by this?

Are you saying that a phishing attack can be executed against U2F/WebAuthen if the attacker controls DNS?


Yes and no. Yes, if the attacker controls the DNS, he can return his own server's IP, and your browser will connect to the attacker's server showing the original name in the url bar. Fortunately TLS should save you because the attacker should not have a valid certificate (but it would save you also with OTP). If you disregard the TLS/HTTPS warning, then Webauthn breaks.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: