|
|
|
|
|
|
by jakecraige
2297 days ago
|
|
|
It’s not assuming MITM or that the attacker can upload the signature to the site. The attack is that the attacker can reuse the already uploaded signature in a way that allows them to get certificates issued under their account instead of the initial owner. This blog is a little confusing about that since it does read like they are supposed to upload their own sig with the graphic used. This post and linked IETF report is a little more clear: https://www.agwa.name/blog/2015/12 |
|
|