|
|
|
|
|
|
by jk700
2077 days ago
|
|
|
That's the thing, they don't seem to bother actually addressing the problem and assume no other interception capability than hacking BGP. But we are talking here about exactly that, i.e. if you can intercept traffic in any other way somewhere close to a website or its nameservers - you can get a valid certificate and use it to MITM its visitors anywhere in the world where you can intercept traffic too. And in case of using big cloud providers for validation to "improve" security, this still likely pushes traffic from all of them through some big IX before reaching a datacenter with a website and at worst only adds a couple more points an attacker has to intercept traffic at to get the certificate. This is where all that centralization is really bad for security. It basically makes https a protection only against low effort MITM of last mile ISPs. |
|
|