|
|
|
|
|
|
by pfg
3354 days ago
|
|
|
HTTPS with HSTS would be a mitigation for the attack you describe. An attacker would not be able to obtain a valid certificate for the bank's domain, and HSTS would block SSL stripping attacks as well as prevent users from bypassing any SSL warning pages. To prevent it on the server-side (i.e. hijacked DNS or web servers) and/or to prevent rogue CAs from issuing certificates for their domain, they would need to use key pinning (for example via HPKP). |
|
|