Hacker News new | ask | show | jobs
by dilyevsky 2052 days ago
Yes, should’ve been more clear on that they sign a cert without your knowledge and hand to to someone performing mitm. How is that risk present when you roll your own PKI and validate against your private CA (or intermediate) only?

Regarding CT I’m not aware of any clients other than browsers actually enforcing that.
1 comments
closeparen 2051 days ago
Typically an internal CA adds to the certificate trust store rather than replacing it.
link
dilyevsky 2051 days ago
Yes you are correct here (although I’ve seen both methods). At least 3rd party won’t easily know which hostnames to fake though
link