Hacker News new | past | comments | ask | show | jobs | submit login

Does the Yandex HTTPS one mean they're shipping the private key for their cert in the app, therefore anything running on localhost (or on a network with poisoned DNS) can spoof the yandexmetrica site?

There is a cert for it in the logs: https://crt.sh/?q=yandexmetrica.com




Yup definitely. Edit: the diagram makes it perfectly clear https://yandexmetrica.com:30103/p?...

It even looks like some of the certs were issued by Yandex to Yandex. I guess their cert division will end up writing an incident report for this.


Yes, but presumably they aren't hosting anything on yandexmetrica.com, so any attackeright as wel register yandexmetrica.net and get an ssl cert for that.

These sites both have the same potential for abuse.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: