Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The user can just be redirected to another similar looking site with a valid TLS certificate.


How?


https://gmail.com.inbox-redirect.pro

This will seem like a valid website, especially if the phishing site is done well. Not just non-technical users, I'd wager some tech familiar users would be fooled too.

The focus always being on the lock icon might not always cover it.

Safari will prevent this though.


Isn't that why browsers visually distinguish the TLD and the part before it from the rest of the URL?


SSL/TLS downgrade attack when HSTS is not enabled.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: