|
|
|
|
|
|
by tomwas54
3113 days ago
|
|
|
No, it doesn't. As mentioned in the article, the attacker successfully requested a TLS certificate for the hostname, which was possible because he could pass a CA's domain validation. I'm not entirely sure, but I think HPKP could have prevented this for returning customers, because Fox-IT would have been able to pin the key of their own certificate. Then the new certificate used by the attacker would have been rejected by the customer's browser. |
|
|
EV certs would be harder to compromise, but likely not too difficult for a sophisticated attacker. And who really notices if a site that had an EV cert suddenly doesn't? I might for my bank, but likely would not for a software product website.