Hacker News new | ask | show | jobs
by frlnBorg 3194 days ago
Why do you say this is not a vulnerability? For me, a layman, it seems like a vulnerability.
1 comments
mirashii 3194 days ago
What about it seems like a vulnerability? At best, this is an avenue for a phishing hack for getting someone to put in a bad URL and then send their credentials. No different than registering and convincing someone go to go facebooksecurityservices.com and log in with their Facebook account.
link
jlgaddis 3194 days ago
No certificate validation in "Test A".
link
philjohn 3194 days ago
As someone else said, public wifi network, DNS hijack and boom, you've got their credentials.
link
ricardobeat 3193 days ago
Same as DNS hijacking any website where the user has an account. What's the security issue in Exchange here?
link
ktta 3193 days ago
DNS hijacking shouldn't result in credential compromise if TLS is implemented properly. TLS is implemented here, but incorrectly (hold on) because the credentials are sent as soon as the validation fails and a dialog shows up (about the invalid certificate). So the user will realize they are being MITMed but the credentials are sent even if they don't continue.

https://news.ycombinator.com/item?id=15322740

link