Hacker News new | past | comments | ask | show | jobs | submit login

Parent isn't wrong... technically.

Certificate Transparency exists, solely because any CA can issue an SSL cert for any domain, and use it to MITM via a proxy.

You are trusting every CA out there, not just Verisign. That is the ultimate weakness. Any CA can issue a cert for any domain.

Expect-CT header is the only thing protecting you from a MITM, and it's not even a protection, really, and it's trivial to strip that header as the MITM before proxying to the client.

How do you think mitmproxy[0] works?

[0] https://mitmproxy.org/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: