It's entirely possible to have a proper SSL connection to a bogus hostname, that is showing the correct website and even interacts correctly.
Bogus MITM decrypts the traffic, logs it, then forwards the traffic once again encrypted to the destination server. Then does the reverse for the resonse.
"Look for the padlock" is only useful if the actual hostname is correct in the browser.
If I hosted news.ycombnator.com using this and you didn't notice that I could be proxying just like that. It's possible cloudflare has protections against this in place but doesn't every website on earth?
It's entirely possible to have a proper SSL connection to a bogus hostname, that is showing the correct website and even interacts correctly.
Bogus MITM decrypts the traffic, logs it, then forwards the traffic once again encrypted to the destination server. Then does the reverse for the resonse.
"Look for the padlock" is only useful if the actual hostname is correct in the browser.
If I hosted news.ycombnator.com using this and you didn't notice that I could be proxying just like that. It's possible cloudflare has protections against this in place but doesn't every website on earth?
Look at the damned hostname people.