Hacker News new | past | comments | ask | show | jobs | submit login

What about DNS spoofing[1] at the local network level?

[1] https://en.wikipedia.org/wiki/DNS_spoofing




The spoofer wouldn’t be able to obtain a valid certificate for the spoofed site, though.


The spoofer can obtain a valid certificate for another, seemingly legitimate site. Any software that hasn't explicitly pinned the leaf TLS certificates will still accept the (valid) certificate it is redirected to.

And sadly, a lot of software still doesn't perform certificate pinning.


How is this redirect performed?


When a URL is manually typed in, and HSTS or HSTS-preloading isn't enabled, the initial 301 redirect would be http.


It could just be a 3xx redirect over clear http, right? The http site can redirect to a https site with a similar name.


it might redirect to a malicious web page, but https would still prevent a problem. perhaps read the article you posted.


Only if they are serving HTTPS or HTTPS is pinned. Otherwise, aren't you relying on the user noticing the lack of HTTPS (which I wouldn't want to do)?


The user can just be redirected to another similar looking site with a valid TLS certificate.


How?


https://gmail.com.inbox-redirect.pro

This will seem like a valid website, especially if the phishing site is done well. Not just non-technical users, I'd wager some tech familiar users would be fooled too.

The focus always being on the lock icon might not always cover it.

Safari will prevent this though.


Isn't that why browsers visually distinguish the TLD and the part before it from the rest of the URL?


SSL/TLS downgrade attack when HSTS is not enabled.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: