Hacker News new | past | comments | ask | show | jobs | submit login

I would call this a "self-induced man in the middle attack". You're telling your computer that cloudflarechallenge.com is his server.



The point is you can connect to it with HTTPS and your browser doesn't throw up big flashy warnings. It's basically proof that he has got the private key, since he can impersonate cloudfarechallenge.com with regards to SSL.


Yes, of course. That's why it's a successful "man in the middle attack" of sorts. If the cert wasn't trusted then it would mean nothing.


He doesn't have to have the private key, only a private key that was signed by any of the hundreds (counting intermediate CAs, thousands?) CAs trusted by his browser.


He has to have the private key that matches the certificate he's presenting.

He's presenting the CloudFlare-obtained cert (which the site offers up on request), so the lack of a warning means he's got that private key.

Getting another CA-signed certificate, naming 'www.cloudflarechallenge.com' and matching another private key, would itself be an impressive compromise, though not the challenge CloudFlare made or what he's demonstrating.


See here how to verify that Indutny indeed snatched the private key from Cloudflare’s server: http://dankaminsky.com/2014/04/12/bloody-cert-certified/


CAs will verify that you at least have control over hostmaster@ or an email listed in the WHOIS info for the domain before issuing certs.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: