Hacker News new | past | comments | ask | show | jobs | submit login

Could actually dodgy sites then imitate bank websites, ask the same of users and then commit a MITM attack?

Technically, certificate pinning etc can prevent this, but in practice, yes, this is a possible attack vector.

But it has little to do with CA validation. If the user understands how to verify the domain and security of the connection the attack doesn't work, and if he doesn't, the Google vs Symantec situation makes no difference either.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: