|
|
|
|
|
|
by StreamBright
2655 days ago
|
|
|
Not really. It just requires HTTPS mitm. It is harder to have a CA that can create a cert that looks like it was issued by the original website you are trying to achieve but this is standard practice in gov agencies to mitm HTTPS communication. The mitigation of these sort of attacks is called certificate pinning. https://security.stackexchange.com/questions/29988/what-is-c... |
|
|
My point was that MITMing HTTPS and HSTS isn't really necessary to carry out an attack as described by the root comment.
You only need to be in position to eavesdrop and/or MITM http connections to scrape together the necessary information; a much lower bar.