Hacker News new | past | comments | ask | show | jobs | submit login

DNS is very easy to spoof and redirect. There are proposals to secure it (DNSSEC, DNS-over-TLS, DNS-over-HTTPS) but none are widely used and instead the server's certificates are used to both authenticate the correct destination and encrypt traffic to it.

Redirecting traffic is much easier than generating certificates so a valid cert held by a bad actor can be a serious vulnerability.




>Redirecting traffic is much easier than generating certificates so a valid cert held by a bad actor can be a serious vulnerability.

This is bullshit. If you can redirect traffic you can almost always create a certificate unless you can only redirect a very limited set of traffic.

Redirecting traffic is literally all you need in order to be able to use certbot to generate a new cert.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: