Hacker News new | past | comments | ask | show | jobs | submit login

What if DNS is mitmed?



No one cares as long as you are using HTTPS, which is the point.

If you aren't using HTTPS for all of your site, you are vulnerable to MITM attacks.


Presumably, the browser still needs to interrogate dns even if it talks over https, no?


Sure, and this is what HTTPS certificates from a CA are for. If your users are willing to click through the "warning: self-signed certificate" popups, then they're vulnerable, of course. But if they don't make that mistake, then your DNS result is reliable unless someone compromises the CA. Of course, CAs do get compromised.

Or did I miss the point of your comment?


IsTom's comment was about how an HTTP-served page might be modified to make the "secure" links actually point to a non-HTTPS fake login page (for example). This assumes the user will not notice that the connection is not secure (which I think is a fair assumption).

Given that, another attack might be to mitm DNS and serve an entirely fake Amazon site, all in HTTP, and the user will not notice there's anything wrong.

I think that's the point mro and troels were trying to make.

The only way I can imagine to mitigate this would be to use HSTS on the amazon.com home page.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: