Hacker News new | past | comments | ask | show | jobs | submit login

Nobody uses self-signed certs on prod.

But if an attacker has a private key that is trusted by your local trust store, they can pose a legitimate website (man in the middle) and decrypt your traffic.

The title tells me that this thread is about local https. Nothing to do with prod.




I thought there were varying amounts of trust with certificate stores?

Local dev certs should go into a personal store or something that is less trusted than something like VeriSign. You shouldn't be able to mint a legit-looking Google certificates with the same private key that's only trusted via a local self-signed certificate.

Maybe I don't understand something.


Couldn't mint absolutely legitimate certificates, but legitimate enough to fool the browser and the person who is browsing.


If you have a Certificate Authority in your trust store, than any certificate signed by that CS is trusted by your system.

That is why Google uses key pinning for their services and a list is hardcoded in Chrome, AFAIK.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: