Hacker News new | past | comments | ask | show | jobs | submit login

Could they sign and distribute a cert for localhost.zoom.us and point the DNS at 127.0.0.1?





They could, but if they distribute the private key, which they would, the private key would be considered compromised, and the CA would be required to revoke the certificate within something like 24h of being notified with appropriate evidence (e.g. a copy of the key or a special message signed with the key).

In the case of LetsEncrypt certificates, there is even an API for this revocation.

However, given how ineffective revocation is, it unfortunately could still be a viable strategy.

The easier approach is, of course, using the fact that browsers now consider http://127.0.0.1 (and/or http://localhost) a secure origin to avoid this issue.


No, because you'd have to distribute the private key for the local webserver to be able to sign the connection challenge.

But that's just a reason why it would be a bad idea, not a reason that they couldn't do it or that it wouldn't work.

I would think that they could distribute the cert (and the key) and have it work. [Edit] Unless browsers detect that it's a local IP address behind the domain name and still consider it a special case of origin.


Plex solved this problem is pretty much the way you describe.

https://blog.filippo.io/how-plex-is-doing-https-for-all-its-...


it's not the nicest solution, but I don't see the problem with a public certificate and public private key (yeah not the most elegant wording) that is literally issued to `localhost` or `127.0.0.1` (not localhost.zoom.us because that still goes through DNS once and could be hijacked)



Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: