|
|
|
|
|
|
by theEXTORTCIST
3310 days ago
|
|
|
AFAIK HSTS doesn't break TLS MITM. A valid x509 certificate is generated by the attacker (using a Certificate Authority trusted by the victim's browser) for the domain the victim is visiting and all is well for both TLS sessions (Client<->Attacker, Attacker<->Server). This all relies on the attacker having access to sign certs from the trusted CA. Certificate pinning in the HTTPS client would mitigate TLS MITM (HPKP). |
|
|